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iAPX 286/10 
HIGH PERFORMANCE MICROPROCESSOR 
WITH MEMORY MANAGEMENT AND PROTECTION 



■ High Performance 8 and 10 MHz 
Processor (Up to six times iAPX 86) 

■ Large Address Space: 
— 16 Megabytes Physical 

— 1 Gigabyte Virtual per Task 

■ Integrated Memory Management, Four- 
Level Memory Protection and Support 
for Virtual Memory and Operating 
Systems 

■ Two iAPX 86 Upward Compatible 
Operating Modes: 

—iAPX 86 Real Address Mode 
— Protected Virtual Address Mode 



■ Optional Processor Extension: 
—iAPX 286/20 High Performance 80-bit 

Numeric Data Processor 

■ Complete System Development 
Support: 

— Development Software: Assembler, 
PL/M, Pascal, FORTRAN, and System 
Utilities 

— In-Circuit-Emulator (ICE™ -286) 

■ High Bandwidth Bus Interface 
(8 or 10 Megabyte/Sec) 

The iAPX 286/10 (80286 part number) is an advanced, high-performance microprocessor with specially optimized 
capabilities for multiple user and multi-tasking systems. The 80286 has built-in memory protection that supports 
operating system and task isolation as well as program and data privacy within tasks. A 10 MHz iAPX 286/10 provides 
up to six times greater throughput than the standard 5 MHz iAPX 86/10. The 80286 includes memory management 
capabilities that map up to 230 bytes (one gigabyte) of virtual address space per task into 2 24 bytes (16 megabytes) of 
physical memory. 

The iAPX 286 is upward compatible with iAPX 86 and 88 software. Using iAPX 86 real address mode, the 80286 is 
object code compatible with existing iAPX 86, 88 software. In protected virtual address mode, the 80286 is source 
code compatible with iAPX 86, 88 software and may require upgrading to use virtual addresses supported by the 
80286's integrated memory management and protection mechanism. Both modes operate at full 80286 performance 
and execute a superset of the iAPX 86 and 88's instructions. 

The 80286 provides special operations to support the efficient implementation and execution of operating systems. 
For example, one instruction can end execution of one task, save its state, switch to a new task, load its state, and 
start execution of the new task. The 80286 also supports virtual memory systems by providing a segment-not-present 
exception and restartable instructions. 
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Figure 1 . 80286 Internal Block Diagram 
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Figure 2. 80286 Pin Configuration 



Table 1 . Pin Description 



Symbol 


Type 


Name and Function 


CLK 


I 


System Clock provides the fundamental timing for iAPX 286 systems. It is a 16 MHz signal divided 
by two inside the 80286 to generate the 8 MHz processor clock. The internal divide-by-two circuitry 
can be synchronized to an external clock generator by a LOW to HIGH transition on the RESET 
input. 


D15-D0 


I/O 


Data Bus inputs data during memory, I/O, and interrupt acknowledge read cycles; outputs data 
during memory and I/O write cycles. The data bus is active HIGH and floats to 3-state OFF during 
bus hold acknowledge. 


A23"Ao 


o 


Address Bus outputs physical memory and I/O port addresses. AO is LOW when data is to be 
transferred on pins D7_o- A23-A16 are LOW during I/O transfers. The address bus is active HIGH 
and floats to 3-state OFF during bus hold acknowledge. 


BHE 


o 


Bus High Enable indicates transfer of data on the upper byte of the data bus, D-|5_r. Eight-bit 
oriented devices assigned to the upper byte of the data bus would normally use BHE to con- 
dition chip select functions. BHE is active LOW and floats to 3-state OFF during bus hold acknowledge. 








BHE and AO Encodings 










BHE Value 


AO Value 


Function 













1 
1 



1 



1 


Word transfer 

Byte transfer on upper half of data bus (D^-g) 
Byte transfer on lower half of data bus (D/_o) 
Reserved 
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Table 1 . Pin Description (Cont.) 



Symbol 



Type 



Name and Function 



S1,S0 



Bus Cycle Status indicates initiation of a bus cycle and, along with M/|0 and COD/ I NTA , defines the 
type of bus cycle. The bus is in a T s state whenever one or both are LOW. Sj[ and SO are active LOW 
and float to 3-state OFF during bus hold acknowledge. 



80286 Bus Cycle Status Definition 


COD/INTA 


M/IO 


S1 


so 


Bus cycle initiated 


(LOW) 











Interrupt acknowledge 











1 


Reserved 








1 





Reserved 








1 


1 


None; not a status cycle 





1 








IF A1 = 1 then halt; else shutdown 





1 





1 


Memory data read 





1 


1 





Memory data write 





1 


1 


1 


None; not a status cycle 


1 (HIGH) 











Reserved 


1 








1 


I/O read 


1 





1 





I/O write 


1 





1 


1 


None; not a status cycle 


1 


1 








Reserved 


1 


1 





1 


Memory instruction read 


1 


1 


1 





Reserved 


1 


1 


1 


1 


None; not a status cycle 



M/IO 



O 



Memory/IO Select distinguishes memory access from I/O access. If HIGH during T s , a memory 
cycle or a halt/shutdown cycle is in progress. If LOW, an I/O cycle or an interrupt acknowledge cycle 
is in progress. M/IO floats to 3-state OFF during bus hold acknowledge. 



COD/INTA 



Code/Interrupt Acknowledge distinguishes instruction fetch cycles fro m mem ory data read cycles. 
Also distinguishes interrupt acknowledge cycles from I/O cycles. COD/INTA floats to 3-state OFF 
during bus hold acknowledge. 



LOCK 



Bus Lock indicates that ot her sys tem bus masters are not to gain control of the system bus following 
the current bus cycle. The LOCK signal may be activated explicitly by the "LOCK" instruction prefix 
or automatically by 802 86 hard ware during memory XCHG instructions, interrupt acknowledge, or 
descriptor table access. LOCK is active LOW and floats to 3-state OFF during bus hold acknowledge. 



READY 



Bus R eady ter minates a bus cycle. Bus cycles are extended without limit until terminated by READY 
LOW. READY is an active LOW synchro nous inp ut requiring setup and hold times relative to the 
system clock be met for correct operation. READY is ignored during bus hold acknowledge. 



HOLD 
HLDA 



I 

O 



Bus Hold Request and Hold Acknowledge control ownership of the 80286 local bus. The HOLD 
input allows another local bus master to request control of the local bus. When control is granted, the 
80286 will float its bus drivers to 3-state OFF and then activate HLDA, thus entering the bus hold 
acknowledge condition. The local bus will remain granted to the requesting master until HOLD 
becomes inactive which results in the 80286 deactivating HLDA and regaining control of the local 
bus. This terminates the bus hold acknowledge condition. HOLD may be asynchronous to the system 
clock. These signals are active HIGH. 



INTR 



Interrupt Request requests the 80286 to suspend its current program execution and service a 
pending external request. Interrupt requests are masked whenever the interrupt enable bit in the 
flag word is cleared. When the 80286 responds to an interrupt request, it performs two interrupt 
acknowledge bus cycles to read an 8-bit interrupt vector that identifies the source of the interrupt. To 
assure program interruption, INTR must remain active until the first interrupt acknowledge cycle is 
completed. INTR is sampled at the beginning of each processor cycle and must be active HIGH at 
least two processor cycles before the current instruction ends in order to interrupt before the next 
instruction. INTR is level sensitive, active HIGH, and may be asynchronous to the system clock. 



NMI 



Non-maskable Interrupt Request interrupts the 80286 with an internally supplied vector value of 
2. No interrupt acknowledge cycles are performed. The interrupt enable bit in the 80286 flag word 
does not affect this input. The NMI input is active HIGH, may be asynchronous to the system clock, 
and is edge triggered after internal synchronization. For proper recognition, the input must have 
been previously LOW for at least four system clock cycles and remain HIGH for at least four system 
clock cycles. 
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Table 1 . Pin Description (Cont.) 



Symbol 



Type 



Name and Function 



PEREQ 
PEACK 



I 

O 



Processor Extension Operand Request and Acknowledge extend the memory management 
and protection capabilities of the 80286 to processor extensions. The PEREQ input requests the 
80286 to perform a data operand transfer for a processor extension. The PEACK output signals the 
processor extension when the requested operand is being transferred. PEREQ is active HIGH and 
may be asynchronous to the system clock. PEACK is active LOW. 



BUSY 
ERROR 



Processor Extensio n Bus y and Error indicate the operating condition of a processor extension to 
the 80286. An active BUSY input stops 80286 program execution on WAIT and some ESC instruc- 
tions until BUSY becomes inactive (HIGH). The 80286 may be interrupted while waiting for BUSY to 
become inactive. An active ERROR input causes the 80286 to perform a processor extension inter- 
rupt when executing WAIT or some ESC instructions. These inputs are active LOW and may be 
asynchronous to the system clock. 



RESET 



System Reset clears the internal logic of the 80286 and is active HIGH. The 80286 may be re- 
initialized at any time with a LOW to HIGH transition on RESET which remains active for more than 
16 system clock cycles. During RESET active, the output pins of the 80286 enter the state shown 
below: 



80286 Pin State During Reset 


Pin Value 


Pin Names 


1 (HIGH) 
(LOW) 
3-state OFF 


SO, S1 , PEACK, A23-A0. BHE, LOCK 

M/IO, COD'INTA, HLDA 

D15-D0 



Operation of the 80286 begins after a HIGH to LOW transition on RESET. The HIGH to LOW transi- 
tion of RESET must be synchronous to the system clock. Approximately 50 system clock cycles are 
required by the 80286 for internal initializations before the first bus cycle to fetch code from the 
power-on execution address is performed. 

A LOW to HIGH transition of RESET synchronous to the system clock, will begin a new processor 
cycle at the next HIGH to LOW transition of the system clock. The LOW to HIGH transition of RESET 
may be asynchronous to the system clock; however, in this case it can not be predetermined which 
phase of the processor clock will occur during the next system clock period. Synchronous LOW to 
HIGH transitions of RESET are only required for systems where the processor clock must be phase 
synchronous to another clock. 



v S s 



System Ground: VOLTS. 



V C C 



System Power: + 5 Volt Power Supply. 



CAP 



Substrate Filter Capacitor: a 0.047|j,f ± 20% 12V capacitor must be connected between this pin 
and ground. This capacitor filters the output of the internal substrate bias generator. A maximum DC 
leakage current of 1 ixa is allowed through the capacitor. 

For correct operation of the 80286, the substrate bias generator must charge this capacitor to its 
operating voltage. The capacitor chargeup time is 5 milliseconds (max.) after Vpc and CLK reach 
their specified AC and DC parameters. RESET may be applied to prevent spurious activity by the 
CPU during this time. After this time, the 80286 processor clock can be phase synchronized to 
another clock by pulsing RESET LOW synchronous to the system clock. 
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FUNCTIONAL DESCRIPTION 
Introduction 

The 80286 is an advanced, high-performance micro- 
processor with specially optimized capabilities for mul- 
tiple user and multi-tasking systems. Depending on the 
application, the 80286's performance is up to six times 
faster than the standard 5 MHz 8086's, while providing 
complete upward software compatibility with Intel's iAPX 
86, 88, and 186 family of CPU's. 

The 80286 operates in two modes: iAPX 86 real address 
mode and protected virtual address mode. Both modes 
execute a superset of the iAPX 86 and 88 instruction set. 

In iAPX 86 real address mode programs use real ad- 
dresses with up to one megabyte of address space. Pro- 
grams use virtual addresses in protected virtual address 
mode, also called protected mode. In protected mode, 
the 80286 CPU automatically maps 1 gigabyte of virtual 
addresses per task into a 16 megabyte real address 
space. This mode also provides memory protection to 
isolate the operating system and ensure privacy of each 
tasks' programs and data. Both modes provide the same 
base instruction set, registers, and addressing modes. 

The following Functional Description describes first, the 
base 80286 architecture common to both modes, sec- 
ond, iAPX 86 real address mode, and third, protected 
mode. 



Register Set 

The 80286 base architecture has fifteen registers as 
shown in Figure 3. These registers are grouped into the 
following four categories: 



General Registers: Eight 16-bit general purpose reg- 
isters used to contain arithmetic and logical operands. 
Four of these (AX, BX, CX, and DX) can be used either 
in their entirety as 16-bit words or split into pairs of sep- 
arate 8-bit registers. 



Segment Registers: Four 16-bit special purpose reg- 
isters select, at any given time, the segments of memory 
that are immediately addressable for code, stack, and 
data. (For usage, refer to Memory Organization.) 



Base and Index Registers: Four of the general pur- 
pose registers may also be used to determine offset ad- 
dresses of operands in memory. These registers may 
contain base addresses or indexes to particular loca- 
tions within a segment. The addressing mode deter- 
mines the specific registers used for operand address 
calculations. 



iAPX 286/10 BASE ARCHITECTURE 

The iAPX 86, 88, 186, and 286 CPU family all contain 
the same basic set of registers, instructions, and ad- 
dressing modes. The 80286 processor is upward com- 
patible with the 8086, 8088, and 80186 CPU's. 



Status and Control Registers: Three 16-bit special 
purpose registers record or control certain aspects of 
the 80286 processor state. These include the Instruc- 
tion Pointer, which contains the offset address of the 
next sequential instruction to be executed. 



16-BIT 
REGISTER 
NAME 



BYTE 

ADDRESSABLE 

(8-BIT 

REGISTER 

NAMES 

SHOWN) 



AX 
DX 
CX 
BX 
BP 
SI 
Dl 



AH 


AL 


DH 


DL 


CH 


CL 


BH 


BL 











SPECIAL 
REGISTER 
FUNCTIONS 



MULTIPLY/DIVIDE 
I/O INSTRUCTIONS 



LOOP/SHIFT/REPEAT COUNT 
BASE REGISTERS 

INDEX REGISTERS 
STACK POINTER 



CS 
DS 
SS 
ES 



SEGMENT REGISTERS 

15 



F 
IP 
MSW 



GENERAL 
REGISTERS 



CODE SEGMENT SELECTOR 
DATA SEGMENT SELECTOR 
STACK SEGMENT SELECTOR 
EXTRA SEGMENT SELECTOR 



FLAGS 

INSTRUCTION POINTER 
MACHINE STATUS WORD 



STATUS AND CONTROL 
REGISTERS 



Figure 3. Register Set 

5 



AFN-02060A 



irrtel 



iAPX 286/10 



STATUS FLAGS: 
CARRY 
PARITY 
AUXILIARY CARRY 
ZERO 
SIGN 
OVERFLOW 



15 



14 



13 



IOPL 


OF 


DF 


IF 


TF 


SF 



CONTROL FLAGS: 
TRAP FLAG 
INTERRUPT ENABLE 
DIRECTION FLAG 



SPECIAL FIELDS: 
I/O PRIVILEGE LEVEL 
NESTED TASK FLAG 



ESI 



INTEL RESERVED 



TASK SWITCH 
PROCESSOR EXTENSION EMULATED 
MONITOR PROCESSOR EXTENSION 
PROTECTION ENABLE 



Flags Word Description 

The Flags word (Flags) records specific characteristics 
of the result of logical and arithmetic instructions (bits 0, 
2, 4, 6, 7, and 1 1 ) and controls the operation of the 80286 
within a given operating mode (bits 8 and 9). Flags is a 
16-bit register. The function of the flag bits is given in 
Table 2. 

Instruction Set 

The instruction set is divided into seven categories: data 
transfer, arithmetic, shift/rotate/logical, string manipula- 
tion, control transfer, high level instructions, and pro- 
cessor control. These categories are summarized in 
Figure 4. 

An 80286 instruction can reference zero, one, or two 
operands; where an operand resides in a register, in the 
instruction itself, or in memory. Zero-operand instruc- 
tions (e.g. NOP and HLT) are usually one byte long. One- 
operand instructions (e.g. INC and DEC) are usually two 
bytes long but some are encoded in only one byte. One- 
operand instructions may reference a register or mem- 
ory location. Two-operand instructions permit the follow- 
ing six types of instruction operations: 

— Register to Register 
— Memory to Register 
— Immediate to Register 
— Memory to Memory 
— Register to Memory 
— Immediate to Memory 



Figure 3a. Status and Control Register Bit Functions 

Table 2. Flags Word Bit Functions 



Bit 
Position 


Name 


Function 





CF 


Carry Flag — Set on high-order bit 
carry or borrow; cleared otherwise 


2 


PF 


Parity Flag — Set if low-order 8 bits 
of result contain an even number of 
1 -bits; cleared otherwise 


4 


AF 


Set on carry from or borrow to the 
low order four bits of AL; cleared 
otherwise 


6 


ZF 


Zero Flag-Set if result is zero; 
cleared otherwise 


7 


SF 


Sign Flag — Set equal to high-order 
bit of result (0 if positive, 1 if negative) 


11 


OF 


Overflow Flag— Set if result is a too- 
large positive number or a too-small 
negative number (excluding sign-bit) 
to fit in destination operand; cleared 
otherwise 


8 


TF 


Single Step Flag — Once set, a sin- 
gle step interrupt occurs after the 
next instruction executes. TF is 
cleared by the single step interrupt. 


9 


IF 


Interrupt-enable Flag — When set, 
maskable interrupts will cause the 
CPU to transfer control to an inter- 
rupt vector specified location. 


10 


DF 


Direction Flag — Causes string in- 
structions to auto increment the ap- 
propriate index registers when set. 
Clearing DF causes auto 
decrement. 
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Two-operand instructions (e.g. MOV and ADD) are usu- 
ally three to six bytes long. Memory to memory opera- 
tions are provided by a special class of string instructions 
requiring one to three bytes. For detailed instruction for- 
mats and encodings refer to the instruction set summary 
at the end of this document. 



GENERAL PURPOSE 


MOV 


Move byte or word 


PUSH 


Push word onto stack 


POP 


Pop word off stack 


PUSHA 


Push all registers on stack 


POPA 


Pop all registers from stack 


XCHG 


Exchange byte or word 


XLAT 


Translate byte 


INPUT/OUTPUT 


IN 


Input byte or word 


OUT 


Output byte or word 


ADDRESS OBJECT 


LEA 


Load effective address 


LDS 


Load pointer using DS 


LES 


Load pointer using ES 


FLAG TRANSFER 


LAHF 


Load AH register from flags 


SAHF 


Store AH register in flags 


PUSHF 


Push flags onto stack 


POPF 


Pop flags off stack 



Figure 4a. Data Transfer Instructions 



MOVS 


Move byte or word string 


INS 


Input bytes or word string 


OUTS 


Output bytes or word string 


CMPS 


Compare byte or word string 


SCAS 


Scan byte or word string 


LODS 


Load byte or word string 


STOS 


Store byte or word string 


REP 


Repeat 


REPE/REPZ 


Repeat while equal/zero 


REPNE/REPNZ 


Repeat while not equal/not zero 



ADDITION 


ADD 


Add byte or word 


ADC 


Add byte or word with carry 


INC 


Increment byte or word by 1 


AAA 


ASCII adjust for addition 


DAA 


Decimal adjust for addition 


SUBTRACTION 


SUB 


Subtract byte or word 


SBB 


Subtract byte or word with borrow 


DEC 


Decrement byte or word by 1 


NEG 


Negate byte or word 


CMP 


Compare byte or word 


AAS 


ASCII adjust for subtraction 


DAS 


Decimal adjust for subtraction 


MULTIPLICATION 


MUL 


Multiply byte or word unsigned 


IMUL 


Integer multiply byte or word 


AAM 


ASCII adjust for multiply 


DIVISION 


DIV 


Divide byte or word unsigned 


IDIV 


Integer divide byte or word 


AAD 


ASCII adjust for division 


CBW 


Convert byte to word 


CWD 


Convert word to doubleword 



Figure 4b. Arithmetic Instructions 



LOGICALS 


NOT 


"Not" byte or word 


AND 


"And" byte or word 


OR 


"Inclusive or" byte or word 


XOR 


"Exclusive or" byte or word 


TEST 


"Test" byte or word 


SHIFTS 


SHL/SAL 


Shift logical/arithmetic left byte or word 


SHR 


Shift logical right byte or word 


SAR 


Shift arithmetic right byte or word 


ROTATES 


ROL 


Rotate left byte or word 


ROR 


Rotate right byte or word 


RCL 


Rotate through carry left byte or word 


RCR 


Rotate through carry right byte or word 



Figure 4c. String Instructions 



Figure 4d. Shift/Rotate/Logical Instructions 
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CONDITIONAL TRANSFERS 


UNCONDITIONAL TRANSFERS 


1 A / IMDC 

JA/JNBb 


Jump if above/not below nor equal 


CALL 


Call procedure 


JAb/JIND 


Jump if above or equal/not below 


RET 


Return from procedure 


ID/ IMAC 

Jb/JINAb 


Jump if below/not above nor equal 


JMP 


Jump 


IDC/ IMA 

JBb/J IMA 


Jump if below or equal/not above 


JO 


Jump if carry 


ITERATION CONTROLS 


IE/ 1*7 


Jump if equal/zero 


LOOP 


Loop 


1/"* / IMI C 


Jump if greater/not less nor equal 


Jub/JNL 


Jump if greater or equal/not less 


LOOPE/LOOPZ 


Loop if equal/zero 


JL/JNGE 


Jump if less/not greater nor equal 


LOOPNE/LOOPNZ 


Loop if not equal/not zero 


II C / IKI/~* 

JLt/JNb 


Jump if less or equal/not greater 


JCXZ 


Jump if register CX = 




Jump if not carry 


JNE/JNZ 


Jump if not equal/not zero 


INTERRUPTS 


JNO 


Jump if not overflow 


INT 


Interrupt 


JNP/JPO 


Jump if not parity/parity odd 


JNS 


Jump if not sign 


INTO 


Interrupt if overflow 


JO 


Jump if overflow 


IRET 


Interrupt return 


JP/JPE 


Jump if parity/parity even 


JS 


Jump if sign 



Figure 4e. Program Transfer Instructions 



FLAG OPERATIONS 


STC 


Set carry flag 


CLC 


Clear carry flag 


CMC 


Complement carry flag 


STD 


Set direction flag 


CLD 


Clear direction flag 


STI 


Set interrupt enable flag 


CLI 


Clear interrupt enable flag 


EXTERNAL SYNCHRONIZATION 


HLT 


Halt until interrupt or reset 


WAIT 


Wait for TEST pin active 


ESC 


Escape to extension processor 


LOCK 


Lock bus during next instruction 


NO OPERATION 


NOP 


No operation 


EXECUTION ENVIRONMENT CONTROL 


LMSW 


Load machine status word 


SMSW 


Store machine status word 



Figure 4f . Processor Control Instructions 



ENTER 


Format stack for procedure entry 


LEAVE 


Restore stack for procedure exit 


BOUND 


Detects values outside prescribed range 



Figure 4g. High Level Instructions 



Memory Organization 

Memory is organized as sets of variable length seg- 
ments. Each segment is a linear contiguous sequence 
of up to 64K (2 1 6) 8-bit bytes. Memory is addressed us- 
ing a two-component address (a pointer) that consists 
of a 16-bit segment selector, and a 16-bit offset. The 
segment selector indicates the desired segment in 
memory. The offset component indicates the desired byte 
address within the segment. 



SEGMENT 



OFFSET 



OPERAND 
SELECTED 



SELECTED 
SEGMENT 



MEMORY 



Figure 5. Two Component Address 
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M)Mu*I 0MF(Q)C3GMT[](Q)M] 



Table 3. Segment Register Selection Rules 



men iui y 

Reference Needed 


Qpnmpnt R^nictor 

Used 


lmnli/*it QpnmAnt 

II 1 ll/llVl I OCUIIICIII 

Selection Rule 


Instructions 


Code (CS) 


Automatic with instruction prefetch 


Stack 


Stack (SS) 


All stack pushes and pops. Any memory reference which uses BP as a 
base register. 


Local Data 


Data (DS) 


All data references except when relative to stack or string destination 


External (Global) Data 


Extra (ES) 


Alternate data segment and destination of string operation 



All instructions that address operands in memory must 
specify the segment and the offset. For speed and com- 
pact instruction encoding, segment selectors are usu- 
ally stored in the high speed segment registers. An 
instruction need specify only the desired segment reg- 
ister and an offset in order to address a memory operand. 

Most instructions need not explicitly specify which seg- 
ment register is used. The correct segment register is 
automatically chosen according to the rules of Table 3. 
These rules follow the way programs are written (see 
Figure 6) as independent modules that require areas for 
code and data, a stack, and access to external data areas. 

Special segment override instruction prefixes allow the 
implicit segment register selection rules to be overrid- 
den for special cases. The stack, data, and extra seg- 
ments may coincide for simple programs. To access 
operands that do not reside in one of the four immedi- 
ately available segments, either a full 32-bit pointer can 
be used or a new segment selector must be loaded. 

Addressing Modes 

The 80286 provides a total of eight addressing modes 
for instructions to specify operands. Two addressing 
modes are provided for instructions that operate on reg- 
ister or immediate operands: 

Register Operand Mode: The operand is located in 
one of the 8 or 1 6-bit general registers. 

Immediate Operand Mode. The operand is included 
in the instruction. 

Six modes are provided to specify the location of an op- 
erand in a memory segment. A memory operand ad- 
dress consists of two 16-bit components: segment 
selector and offset. The segment selector is supplied by 
a segment register either implicitly chosen by the ad- 
dressing mode or explicitly chosen by a segment over- 
ride prefix. The offset is calculated by summing any 
combination of the following three address elements: 

the displacement (an 8 or 16-bit immediate value 
contained in the instruction) 

the base (contents of either the BX or BP base 
registers) 

the index (contents of either the SI or Dl index registers) 



MODULE A 



CODE 



DATA 



MODULE B 



CODE 



DATA 



PROCESS 
STACK 



PROCESS 
DATA 
BLOCK 1 



PROCESS 
DATA 
BLOCK 2 



CODE 
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Figure 6. Segmented Memory Helps 
Structure Software 

Any carry out from the 16-bit addition is ignored. Eight- 
bit displacements are sign extended to 1 6-bit values. 

Combinations of these three address elements define 
the six memory addressing modes, described below. 

Direct Mode: The operand's offset is contained in the 
instruction as an 8 or 1 6-bit displacement element. 

Register Indirect Mode: The operand's offset is in one 
of the registers SI, Dl, BX, or BP. 

Based Mode: The operand's offset is the sum of an 8 or 
16-bit displacement and the contents of a base register 
(BXorBP). 
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Indexed Mode: The operand's offset is the sum of an 8 
or 1 6-bit displacement and the contents of an index reg- 
ister (SI or Dl). 

Based Indexed Mode: The operand's offset is the sum 
of the contents of a base register and an index register. 

Based Indexed Mode with Displacement: The oper- 
and's offset is the sum of a base register's contents, an 
index register's contents, and an 8 or 16-bit displacement. 

Data Types 

The 80286 directly supports the following data types: 

Integer: A signed binary numeric value con- 

tained in an 8-bit byte or a 16-bit word. 
All operations assume a 2's comple- 
ment representation. Signed 32 and 64- 
bit integers are supported using the iAPX 
286/20 Numeric Data Processor. 



Ordinal: 
Pointer: 

String: 
ASCII: 



An unsigned binary numeric value con- 
tained in an 8-bit byte or 16-bit word. 

A 32-bit quantity, composed of a seg- 
ment selector component and an offset 
component. Each component is a 16-bit 
word. 

A contiguous sequence of bytes or 
words. A string may contain from 1 byte 
to 64K bytes. 



A byte representation of alphanumeric 
and control characters using the ASCII 
standard of character representation. 

BCD: A byte (unpacked) representation of the 

decimal digits 0-9. 

Packed BCD: A byte (packed) representation of two 
decimal digits 0-9 storing one digit in 
each nibble of the byte. 

Floating Point: A signed 32, 64, or 80-bit real number 
representation. (Floating point operands 
are supported using the iAPX 286/20 
Numeric Processor configuration.) 

Figure 7 graphically represents the data types sup- 
ported by the iAPX 286. 



I/O Space 

The I/O space consists of 64K 8-bit or 32K 16-bit ports. 
I/O instructions address the I/O space with either an 8- 
bit port address, specified in the instruction, or a 16-bit 
port address in the DX register. 8-bit port addresses are 
zero extended such that A 15 -A 8 are LOW. I/O port ad- 
dresses 00F8(H) through 00FF(H) are reserved. 
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Figure 7. iAPX 286 Supported Data Types 
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Table 4. Interrupt Vector Assignments 



Function 


Interrupt 

Numhpr 

HUM IUCI 


Related 

In^truptinnQ 

II 1 LI Ul# L 1 \J 1 19 


Return Address 
Before Instruction 
Causing Exception? 


Divide error exception 





DIV, IDIV 


Yes 


Single step interrupt 


1 


All 




NMI interrupt 


2 


All 




Breakpoint interrupt 


3 


INT 




INTO detected overflow exception 


4 


INTO 


No 


BOUND range exceeded exception 


5 


BOUND 


Yes 


Invalid opcode exception 


6 


Any undefined opcode 


Yes 


Processor extension not available exception 


7 


ESC or WAIT with 


Yes 


Reserved 


8-15 






Processor extension error interrupt 


16 


ESC or WAIT 




Reserved 


17-31 






User defined 


32-255 







Interrupts 

An interrupt transfers execution to a new program loca- 
tion. The old program address (CS:IP) and machine state 
(Flags) are saved on the stack to allow resumption 
of the interrupted program. Interrupts fall into three 
classes: hardware initiated, INT instructions, and instruc- 
tion exceptions. Hardware initiated interrupts occur 
in response to an external input and are classified 
as non-maskable or maskable. Programs may cause 
an interrupt with an INT instruction. Instruction excep- 
tions occur when an unusual condition, which pre- 
vents further instruction processing, is detected while 
attempting to execute an instruction. The return ad- 
dress from an exception will always point at the in- 
struction causing the exception and include any leading 
instruction prefixes. 

A table containing up to 256 pointers defines the proper 
interrupt service routine for each interrupt. Interrupts 0- 
31 , some of which are used for instruction exceptions, 
are reserved. For each interrupt, an 8-bit vector must be 
supplied to the 80286 which identifies the appropriate 
table entry. Exceptions supply the interrupt vector inter- 
nally. INT instructions contain or imply the vector and 
allow access to all 256 interrupts. Maskable hardware 
initiated interrupts supply the 8-bit vector to the CPU 
during an interrupt acknowledge bus sequence. Non- 
maskable hardware interrupts use a predefined inter- 
nally supplied vector. 

MASKABLE INTERRUPT (INTR) 

The 80286 provides a maskable hardware interrupt re- 
quest pin, INTR. Software enables this input by setting 



the interrupt flag bit (IF) in the flag word. All 224 user- 
defined interrupt sources can share this input, yet they 
can retain separate interrupt handlers. An 8-bit vector 
read by the CPU during the interrupt acknowledge se- 
quence (discussed in System Interface section) identi- 
fies the source of the interrupt. 

Further maskable interrupts are disabled while servic- 
ing an interrupt by resetting the IF but as part of the 
response to an interrupt or exception. The saved flag 
word will reflect the enable status of the processor prior 
to the interrupt. Until the flag word is restored to the flag 
register, the interrupt flag will be zero unless specifically 
set. The interrupt return instruction includes restoring 
the flag word, thereby restoring the original status of IF. 

NON-MASKABLE INTERRUPT REQUEST (NMI) 

A non-maskable interrupt input (NMI) is also provided. 
NMI has higher priority than INTR. A typical use of NMI 
would be to activate a power failure routine. The activa- 
tion of this input causes an interrupt with an internally 
supplied vector value of 2. No external interrupt ac- 
knowledge sequence is performed. 

While executing the NMI servicing procedure, the 80286 
will service neither further NMI requests, INTR re- 
quests, nor the processor extension segment overrun 
interrupt until an interrupt return (IRET) instruction is ex- 
ecuted or the CPU is reset. If NMI occurs while currently 
servicing an NMI, its presence will be saved for servic- 
ing after executing the first IRET instruction. IF is cleared 
at the beginning of an NMI interrupt to inhibit INTR 
interrupts. 
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SINGLE STEP INTERRUPT 

The 80286 has an internal interrupt that allows pro- 
grams to execute one instruction at a time. It is called the 
single step interrupt and is controlled by the single step 
flag bit (TF) in the flag word. Once this bit is set, an inter- 
nal single step interrupt will occur after the next instruc- 
tion has been executed. The interrupt clears the TF bit 
and uses an internally supplied vector of t. The IRET 
instruction is used to set the TF bit and transfer control 
to the next instruction to be single stepped. 

Interrupt Priorities 

When simultaneous interrupt requests occur, they are 
processed in a fixed order as shown in Table 5. Interrupt 
processing involves saving the flags, return address, and 
setting CS:IP to point at the first instruction of the inter- 
rupt handler. If other interrupts remain enabled they are 
processed before the first instruction of the current in- 
terrupt handler is executed. The last interrupt processed 
is therefore the first one serviced. 



Tab 


e 5. Interrupt Processing Order 


Order 


Interrupt 


1 


INT instruction or exception 


2 


Single step 


3 


NMI 


4 


Processor extension segment overrun 


5 


INTR 



Initialization and Processor Reset 

Processor initialization or start up is accomplished by 
driving the RESET input pin HIGH. RESET forces the 
80286 to terminate all execution and local bus activity. 
No instruction or bus activity will occur as long as RE- 
SET is active. After RESET becomes inactive and an 
internal processing interval elapses, the 80286 begins 
execution in real address mode with the instruction at 
physical location FFFFFO(H). RESET also sets some 
registers to predefined values as shown as shown in 
Table 6 . 



Table 6. 80286 Initial Register State after RESET 



Flag word 


0002(H) 


Machine Status Word 


FFF0(H) 


Instruction pointer 


FFF0(H) 


Code segment 


F000(H) 


Data segment 


0000(H) 


Extra segment 


0000(H) 


Stack segment 


0000(H) 



Machine Status Word Description 

The machine status word (MSW) records when a task 
switch takes place and controls the operating mode of 
the 80286. It is a 16-bit register of which the lower four 
bits are used. One bit places the CPU into protected 
mode, while the other three bits, as shown in Table 7, 
control the processor extension interface. After RESET, 
this register contains FFF0(H) which places the 80286 
in iAPX 86 real address mode. 

Table 7. MSW Bit Functions 



Bit 
Position 


Name 


Function 





PE 


Protected mode enable places the 
80286 into protected mode and can 
not be cleared except by RESET. 


1 


MP 


Monitor processor extension al- 
lows WAIT instructions to cause a 
processor extension not present 
exception (number 7). 


2 


EM 


Emulate processor extension 
causes a processor extension not 
present exception (number 7) on 
ESC instructions to allow emulat- 
ing a processor extension. 


3 


TS 


Task switched indicates the next 
instruction using a processor ex- 
tension will cause exception 7, al- 
lowing software to test whether the 
current processor extension con- 
text belongs to the current task. 



The LMSW and SMSW instructions can load and store 
the MSW in real address mode. The recommended use 
of TS, EM, and MP is shown in Table 8. 



Table 8. Recommended MSW Encodings For Processor Extension Control 



TS 


MP 


EM 


Recommended Use 


Instructions 
Causing 
Exception 











iAPX 86 real address mode only. Initial encoding after RESET. iAPX 286 operation 
is identical to iAPX 86, 88. 


None 








1 


No processor extension is available. Software will emulate its function. 


ESC 


1 





1 


No processor extension is available. Software will emulate its function. The current 
processor extension context may belong to another task. 


ESC 





1 





A processor extension exists. 


None 


1 


1 





A processor extension exists. The current processor extension context may belong 
to another task. The exception on WAIT allows software to test for an error pending 
from a previous processor extension operation. 


ESC or 
WAIT 
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Halt 

The HLT instruction stops program execution and pre- 
vents the CPU from using the local bus until restarted. 
Either NMI, INTR with IF = 1 , or RESET will force the 
80286 out of halt. If interrupted, the saved CS:IP will 
point to the next instruction after the HLT. 

iAPX 86 REAL ADDRESS MODE 

The 80286 executes afully upward-compatible superset 
of the 8086 instruction set in real address mode. In real 
address mode the 80286 is object code compatible with 
8086 and 8088 software. The real address mode archi- 
tecture (registers and addressing modes) is exactly as 
described in the iAPX 286/10 Base Architecture section 
of this Functional Description. 

Memory Size 

Physical memory is a contiguous array of up to 1 ,048,576 
bytes (one megabyte) addressed by pins A through A-| 9 
and BHE. A 2 o through A 2 3 are ignored. 

Memory Addressing 

In real address mode the processor generates 20-bit 
physical addresses directly from a 20-bit segment base 
address and a 16-bit offset. 

The selector portion of a pointer is interpreted as the 
upper 16 bits of a 20-bit segment address. The lower 
four bits of the 20-bit segment address are always zero. 
Segment addresses, therefore, begin on multiples of 16 
bytes. See Figure 8 for a graphic representation of ad- 
dress formation. 

All segments in real address mode are 64K bytes in size 
and may be read, written, or executed. An exception or 
interrupt can occur if data operands or instructions at- 
tempt to wrap around the end of a segment (e.g. a word 
with its low order byte at offset FFFF(H) and its high 
order byte at offset 0000(H)). If, in real address mode, 
the information contained in a segment does not use the 
full 64K bytes, the unused end of the segment may be 
overlayed by another segment to reduce physical mem- 
ory requirements. 

Reserved Memory Locations 

The 80286 reserves two fixed areas of memory in real 
address mode (see Figure 9); system initialization area 
and interrupt table area. Locations from addresses 
FFFFO(H) thorugh FFFFF(H) are reserved for system 
initialization. Initial execution begins at location FFFFO(H). 
Locations 00000(H) through 003FF(H) are reserved for 
interrupt vectors. 
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Figure 8. iAPX 86 Real Address Mode Address 
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Table 9. Real Address Mode Addressing Interrupts 



Function 


Interrupt 
Number 


Related 
Instructions 


Return Address 
Before Instruction? 


Interrupt table limit too small exception 


8 


INT vector is not within table limit 


Yes 


Processor extension segment overrun 
interrupt 


9 


ESC with memory operand extend- 
ing beyond offset FFFF(H) 


No 


Segment overrun exception 


13 


Word memory reference with offset 
= FFFF(H) or an attempt to exe- 
cute past the end of a segment 


Yes 



Interrupts 

Table 9 shows the interrupt vectors reserved for excep- 
tions and interrupts which indicate an addressing error. 
The exceptions leave the CPU in the state existing be- 
fore attempting to execute the failing instruction (except 
for PUSH, POP, PUSHA, or POPA). Refer to the next 
section on protected mode initialization for a discussion 
on exception 8. 

Protected Mode Initialization 

To prepare the 80286 for protected mode, the LIDT in- 
struction is used to load the 24-bit interrupt table base 
and 16-bit limit for the protected mode interrupt table. 
This instruction can also set a base and limit for the in- 
terrupt vector table in real address mode. After reset, 
the interrupt table base is initialized to 000000(H) and 
its size set to 03FF(H). These values are compatible 
with iAPX 86, 88 software. LIDT should only be exe- 
cuted in preparation for protected mode. 

Shutdown 

Shutdown occurs when a severe error is detected that 
prevents further instruction processing by the CPU. 
Shutdown and halt are externally signalled via a halt bus 
operation. They can be distinguished by At HIGH for halt 
and A-i LOW for shutdown. In real address mode, shut- 
down can occur under two conditions: 

• Exceptions 8 or 13 happen and the IDT limit does not 
include the interrupt vector. 

• A CALL, INT, or POP instruction attempts to wrap 
around the stack segment when SP is not even. 

An NMI input can bring the CPU out of shutdown if the 
IDT limit is at least 000F(H) and SP is greater than 
0005(H), otherwise shutdown can only be exited via the 
RESET input. 



PROTECTED VIRTUAL ADDRESS MODE 

The 80286 executes a fully upward-compatible superset 
of the 8086 instruction set in protected virtual address 
mode (protected mode). Protected mode also provides 
memory management and protection mechanisms and 
associated instructions. 

The 80286 enters protected virtual address mode from 
real address mode by setting the PE (Protection En- 
able) bit of the machine status word with the Load Ma- 
chine Status Word (LMSW) instruction. Protected mode 
offers extended physical and virtual memory address 
space, memory protection mechanisms, and new oper- 
ations to support operating systems and virtual memory. 

All registers, instructions, and addressing modes de- 
scribed in the iAPX 286/10 Base Architecture section of 
this Functional Description remain the same. Programs 
for the iAPX 86, 88, 186, and real address mode 80286 
can be run in protected mode; however, embedded con- 
stants for segment selectors are different. 

Memory Size 

The protected mode 80286 provides a 1 gigabyte virtual 
address space per task mapped into a 16 megabyte 
physical address space defined by the address pins A23- 
A and BHE. The virtual address space may be larger 
than the physical address space since any use of an 
address that does not map to a physical memory loca- 
tion will cause a restartable exception. 

Memory Addressing 

As in real address mode, protected mode uses 32-bit 
pointers, consisting of 16-bit selector and offset com- 
ponents. The selector, however, specifies an index into 
a memory resident table rather than the upper 16-bits of 
a real memory address. The 24-bit base address of the 
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desired segment is obtained from the tables in memory. 
The 16-bit offset is added to the segment base address 
to form the physical address as shown in Figure 1 0. The 
tables are automatically referenced by the CPU when- 
ever a segment register is loaded with a selector. All 
iAPX 286 instructions which load a segment register will 
reference the memory based tables without additional 
software. The memory based tables contain 8 byte val- 
ues called descriptors. 



DESCRIPTORS 

Descriptors define the use of memory. Special types of 
descriptors also define new functions for transfer of con- 
trol and task switching. The 80286 has segment de- 
scriptors for code, stack and data segments, and system 
control descriptors for special system data segments and 
control transfer operations. Descriptor accesses are 
performed as locked bus operations to assure descrip- 
tor integrity in multi-processor systems. 



POINTER SELECTOR OFFSET 




SEGMENT BASE 
ADDRESS 



PHYSICAL MEMORY 



MEMORY 
OPERAND 



SEGMENT 
DESCRIPTOR 



SEGMENT 

DESCRIPTOR 

TABLE 



Figure 10. Protected Mode Memory Addressing 



CODE AND DATA SEGMENT DESCRIPTORS 

Besides segment base addresses, code and data de- 
scriptors contain other segment attributes including 
segment size (1 to 64K bytes), access rights (read only, 
read/write, execute only, and execute/read), and pres- 
ence in memory (for virtual memory systems) (See Fig- 
ure 11 ). Any segment usage violating a segment attribute 
indicated by the segment descriptor will prevent the 
memory cycle and cause an exception or interrupt. 



ACCESS 
RIGHTS BYTE 



+ 7 
+ 5 
+ 3 
+ 1 



INTEL RESERVED 


+ 6 


P 


DPL 


S 


TYPE 


A I BASE23-I6 


+ 4 


BASE 15 _ 
I 


+ 2 


LIMIT 16 -o 
I 






Access Rights Byte Definition 



Bit 
Position 


Name 


Function 


7 

6-5 
4 


Present (P) 

Descriptor Privilege 
Level (DPL) 
Segment Descrip- 
tor (S) 


P = 1 Segment is mapped into physical memory. 

P = No mapping to physical memory exists, base and limit are not used. 
Segment privilege attribute used in privilege tests. 

S = 1 Code or Data segment descriptor 
S = Non-segment descriptor 


3 
2 

1 


Executable (E) 

Expansion Direc- 
tion (ED) 

Writeable (W) 


E = Data segment descriptor type is: 

ED = Grow up segment, offsets must be « limit. 

ED = 1 Grow down segment, offsets must be > limit. 

W= Data segment may not be written into. 

W=1 Data segment may be written into. i 


Data 

Segment 


3 
2 
1 


Executable (E) 
Conforming (C) 
Readable (R) 


E = 1 Code Segment Descriptor type is: 

C = Code segment may only be executed when CPL 3= DPL. 

R = Code segment may not be read . 

R = 1 Code segment may be read. 


Code 
Segment 





Accessed (A) 


A = Segment has not been accessed. 

A = 1 Segment selector has been loaded into segment register or used by 
selector test instructions. 



r 



c 
o 



a> 
Q 

a> 



a. 



L 



Figure 11 . Code and Data Segment Descriptors 
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Code and data are stored in two types of segments: 
code segments and data segments. Both types are 
identified and defined by segment descriptors. Code 
segments are identified by the executable (E) bit set to 
1 in the descriptor access rights byte. The access rights 
byte of both code and data segment descriptor types 
have three fields in common: present (P) bit, Descriptor 
Privilege Level (DPL), and accessed (A) bit. If P = 0, 
any attempted use of this segment will cause a not-pres- 
ent exception. DPL specifies the privilege level of the 
segment descriptor. DPL effects when the descriptor may 
be used by a task (refer to privilege discussion below). 
The A bit shows whether the segment has been previ- 
ously accessed for usage profiling, a necessity for vir- 
tual memory systems. The CPU will always set this bit 
when accessing the descriptor. 

Data segments (S = 1 , E = 0) may be either read-only or 
read-write as controlled by the W bit of the access rights 
byte. Read-only (W= 0) data segments may not be writ- 
ten into. Data segments may grow in two directions, as 
determined by the Expansion Direction (ED) bit: up- 
wards (ED = 0) for data segments, and downwards 
(ED = 1 ) for a segment containing a stack. The limit field 
for a data segment descriptor is interpreted differently 
depending on the ED bit (see Figure 11). 

A code segment (S = 1 , E = 1 ) may be execute-only or 
execute/read as determined by the Readable (R) bit. 
Code segments may never be written into and execute- 
only code segments (R = 0) may not be read. A code 
segment may also have an attribute called conforming 
(C). A conforming code segment may be shared by pro- 
grams that execute at different privilege levels. The DPL 
of a conforming code segment defines the range of priv- 
ilege levels at which the segment may be executed (refer 
to privilege discussion below). 

SYSTEM CONTROL DESCRIPTORS 

In addition to code and data segment descriptors, the 
protected mode 80286 defines system control descrip- 
tors. These descriptors define special system data seg- 
ments and control transfer mechanisms in the protected 
environment. The special system data segment de- 
scriptors define segments which contain tables of de- 
scriptors (Local Descriptor Table Descriptor) and 
segments which contain the execution state of a task 
(Task State Segment Descriptor). 

The control transfer descriptors are call gates, task gates, 
interrupt gates and trap gates. Gates provide a level of 
indirection between the source and destination of the 
control transfer. This indirection allows the CPU to au- 
tomatically perform protection checks and control the 
entry point of the destination. Call gates are used to 
change privilege levels (see Privilege), task gates are 
used to perform a task switch, and interrupt and trap 
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System Segment Descriptor Fields 



Name 


Value 


Description 


TYPE 


1 
2 
3 


Available Task State Segment 
Local Descriptor Table Descriptor 
Busy Task State Segment 


P 



1 


Descriptor contents are not valid 
Descriptor contents are valid 


DPL 


0-3 


Descriptor Privilege Level 


BASE 


24-bit 
number 


Base Address of special system data 
segment in real memory 


LIMIT 


16-bit 
number 


Offset of last byte in segment 



Figure 12. Special System Data Segment 

gates are used to specify interrupt service routines. The 
interrupt gate disables interrupts (resets IF) while the 
trap gate does not. 

Figure 12 gives the formats for the special system data 
segment descriptors. The descriptors contain a 24-bit 
base address of the segment and a 16-bit limit. The ac- 
cess byte defines the type of descriptor, its state and 
privilege level. The descriptor contents are valid and the 
segment is in physical memory if P = 1 . If P = 0, the 
segment is not valid. The DPL field is only used in Task 
State Segment descriptors and indicates the privilege 
level at which the descriptor may be used (see Privi- 
lege). Since the Local Descriptor Table descriptor may 
only be used by a special privileged instruction, the DPL 
field is not used. Bit 4 of the access byte is to indicate 
that it is a system control descriptor. The type field spec- 
ifies the descriptor type as indicated in Figure 12. 

Figure 13 shows the format of the gate descriptors. The 
descriptor contains a destination pointer that points to 
the descriptor of the target segment and the entry point 
offset. The destination selector in an interrupt gate, trap 
gate, and call gate must refer to a code segment de- 
scriptor. These gate descriptors contain the entry point 
to prevent a program from constructing and using an 
illegal entry point. Task gates may only refer to a task 
state segment. Since task gates invoke a task switch, 
the destination offset is not used in the task gate. 

Exception 13 is generated when the gate is used if a 
destination selector does not refer to the correct de- 
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WORD 
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+ 4 
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DESTINATION SELECTOR 15 -2 


X X 

1 
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DESTINATION OFFSET 15 _ 
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15 
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Gate Descriptor Fields 



Name 


Value 


Description 


TYPE 


4 
5 
6 
7 


-Call Gate 
—Task Gate 
-Interrupt Gate 
-Trap Gate 


P 




1 


-Descriptor Contents are not 
valid 

-Descriptor Contents are 
valid 


DPL 


0-3 


Descriptor Privilege Level 


WORD 
COUNT 


0-31 


Number of words to copy 
from callers stack to called 
procedures stack. Only used 
with call gate. 


DESTINATION 
SELECTOR 


16-bit 
selector 


Selector to the target code 
segment (Call, Interrupt or 
Trap Gate) 

Selector to the target task 
state segment (Task Gate) 


DESTINATION 
OFFSET 


16-bit 
offset 


Entry point within the target 
code segment 



Figure 13. Gate Descriptor Format 

scriptor type. The word count field is used in the call gate 
descriptor to indicate the number of parameters (0-31 
words) to be automatically copied from the caller's stack 
to the stack of the called routine when a control transfer 
changes privilege levels. The word count field is not used 
by any other gate descriptor. 

The access byte format is the same for all gate descrip- 
tors. P = 1 indicates that the gate contents are valid. P 
= indicates the contents are not valid and causes ex- 



ception 11 if referenced. DPL is the descriptor privilege 
level and specifies when this descriptor may be used by 
a task (refer to privilege discussion below). Bit 4 must 
equal to indicate a system control descriptor. The type 
field specifies the descriptor type as indicated in Figure 
13. 

SEGMENT DESCRIPTOR CACHE REGISTERS 

A segment descriptor cache register is assigned to each 
of the four segment registers (CS, SS, DS, ES). Seg- 
ment descriptors are automatically loaded (cached) into 
a segment descriptor cache register (Figure 14) when- 
ever the associated segment register is loaded with a 
selector. Only segment descriptors may be loaded into 
segment descriptor cache registers. Once loaded, all 
references to that segment of memory use the cached 
descriptor information instead of reaccessing memory. 
The descriptor cache registers are not visible to pro- 
grams. No instructions exist to store their contents. They 
only change when a segment register is loaded. 

SELECTOR FIELDS 

A protected mode selector has three fields: descriptor 
entry index, local or global descriptor table indicator (Tl), 
and selector privilege (RPL) as shown in Figure 15. These 
fields select one of two memory based tables of descrip- 
tors, select the appropriate table entry and allow high- 
speed testing of the selector's privilege attribute (refer 
to privilege discussion below). 



SELECTOR 



INDEX 

' ' ' ' ' ' ' ' ■ ' ' ' 



RPL 



FUNCTION 



1-0 


REQUESTED 
PRIVILEGE 
LEVEL 
(RPL) 


INDICATES SELECTOR PRIVILEGE 
LEVEL DESIRED 


2 


TABLE 

INDICATOR 

(Tl) 


Tl = USE GLOBAL DESCRIPTOR TABLE 
(ODT) 

Tl = 1 USE LOCAL DESCRIPTOR TABLE 
(LDT) 


15-3 


INDEX 


SELECT DESCRIPTOR ENTRY IN TABLE 



Figure 15. Selector Fields 





PROGRAM VISIBLE 
SEGMENT SELECTORS 


r 


ACCESS 
RIGHTS 


PROGRAM INVISIBLE 
SEGMENT BASE ADDRESS 


SEGMENT SIZE 


1 


cs 














DS 














SS 














ES 














15 

SEGMENT REGISTERS 
(LOADED BY PROGRAM) 


) 47 40 39 16 15 

SEGMENT DESCRIPTOR CACHE REGISTERS 
(LOADED BY CPU) 


J 



Figure 14. Descriptor Cache Registers 
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LOCAL AND GLOBAL DESCRIPTOR TABLES 

Two tables of descriptors, called descriptor tables, con- 
tain all descriptors accessible by a task at any given time. 
A descriptor table is a linear array of up to 8192 descrip- 
tors. The upper 1 3 bits of the selector value are an index 
into a descriptor table. Each table has a 24-bit base reg- 
ister to locate the descriptor table in physical memory 
and a 16-bit limit register that confine descriptor access 
to the defined limits of the table as shown in Figure 1 6. A 
restartable exception (13) will occur if an attempt is made 
to reference a descriptor outside the table limits. 

One table, called the Global Descriptor Table (GDT), 
contains descriptors available to all tasks. The other ta- 
ble, called the Local Descriptor Table (LDT), contains 
descriptors that can be private to a task. Each task may 
have its own private LDT. The GDT may contain all de- 
scriptor types except interrupt and trap descriptors. The 
LDT may contain only segment, task gate, and call gate 
descriptors. A segment cannot be accessed by a task if 
its segment descriptor does not exist in either descriptor 
table at the time of access. 



^ MEMORY 



CPU 



LDT 
SELECTOR 



LDT BASE 



PROGRAM INVISIBLE 
I 



LDTt 



LDT„ 



. GDT 



CURRENT 
LDT 



Figure 16. Local and Global Descriptor 
Table Definition 

The LGDT and LLDT instructions load the base and limit 
of the global and local descriptor tables. LGDT and LLDT 
are protected. They may only be executed by trusted 
programs operating at level 0. The LGDT instruction loads 
a six byte field containing the 1 6-bit table limit and 24-bit 
base address of the Global Descriptor Table as shown 
in Figure 1 7. The LLDT instruction loads a selector which 
refers to a Local Descriptor Table descriptor containing 
the base address and limit for an LDT, as shown in Fig- 
ure 12. 



+ 5 
+ 3 
+ 1 



INTEL RESERVED 



BASE 2 3-16 



BASE 15 -o 
I 



LIMIT15-0 



+ 4 
+ 2 




Figure 17. Global Descriptor Table and Interrupt 
Descriptor Data Type 

INTERRUPT DESCRIPTOR TABLE 

The protected mode 80286 has a third descriptor table, 
called the Interrupt Descriptor Table (IDT) (see Figure 
18), used to define up to 256 interrupts. It may contain 
only task gates, interrupt gates and trap gates. The IDT 
(Interrupt Descriptor Table) has a 24-bit base and 16-bit 
limit register in the CPU. The protected LIDT instruction 
loads these registers with a six byte value of identical 
form to that of the LGDT instruction (see Figure 17 and 
Protected Mode Initialization). 



CPU 



IDT BASE 



MEMORY 



GATE FOR 
INTERRUPT #n 



GATE FOR 
INTERRUPT #n-1 



GATE FOR 
INTERRUPT #1 



GATE FOR 
INTERRUPT #0 



INTERRUPT 
DESCRIPTOR 
TABLE 
(IDT) 



Figure 18. Interrupt Descriptor Table Definition 

References to IDT entries are made via INT instruc- 
tions, external interrupt vectors, or exceptions. The IDT 
must be at least 256 bytes in size to allocate space for 
all reserved interrupts. 

Privilege 

The 80286 has a four-level hierarchical privilege system 
which controls the use of privileged instructions and ac- 
cess to descriptors (and their associated segments) within 
a task. Four-level privilege, as shown in Figure 19, is an 
extension of the user/supervisor mode commonly found 
in minicomputers. The privilege levels are numbered 
through 3. Level is the most privileged level. Privilege 



18 



ai-n-o206oa 




Figure 19. Hierarchical Privilege Levels 



levels provide protection within a task. (Tasks are iso- 
lated by providing private LDT's for each task.) Operat- 
ing system routines, interrupt handlers, and other system 
software can be included and protected within the vir- 
tual address space of each task using the four levels of 
privilege. Tasks may also have a separate stack for each 
privilege level. 

Tasks, descriptors, and selectors have a privilege level 
attribute that determines whether the descriptor may be 
used. Task privilege effects the use of instructions and 
descriptors. Descriptor and selector privilege only effect 
access to the descriptor. 

TASK PRIVILEGE 

A task always executes at one of the four privilege levels. 
The task privilege level at any specific instant is called 
the Current Privilege Level (CPL) and is defined by the 
lower two bits of the CS register. CPL cannot change 
during execution in a single code segment. A task's CPL 
may only be changed by control transfers through gate 
descriptors to a new code segment (See Control Trans- 
fer). Tasks begin executing at the CPL value specified 
by the code segment when the task is initiated via a task 
switch operation. A task executing at Level can access 
all data segments defined in the GDT and the task's LDT 
and is considered the most trusted level. A task execut- 
ing at Level 3 has the most restricted access to data and 
is considered the least trusted level. 

DESCRIPTOR PRIVILEGE 

Descriptor privilege is specified by the Descriptor Privi- 
lege Level (DPL) field of the descriptor access byte. DPL 
specifies the least trusted task privilege level (CPL) at 
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which a task may access the descriptor. Descriptors with 
DPL = are the most protected. Only tasks executing 
at privilege level (CPL = 0) may access them. De- 
scriptors with DPL = 3 are the least protected (i.e. have 
the least restricted access) since tasks can access them 
when CPL = 0, 1 , 2, or 3. This rule applies to all descrip- 
tors, except LDT descriptors. 

SELECTOR PRIVILEGE 

Selector privilege is specified by the Requested Privi- 
lege Level (RPL) field in the least significant two bits of a 
selector. Selector RPL may establish a less trusted priv- 
ilege level than the current privilege level for the use of a 
selector. This level is called the task's effective privilege 
level (EPL). RPL can only reduce the scope of a task's 
access to data with this selector. A task's effective privi- 
lege is the numeric maximum of RPL and CPL. A selec- 
tor with RPL = imposes no additional restriction on its 
use while a selector with RPL = 3 can only refer to seg- 
ments at privilege Level 3 regardless of the task's CPL. 
RPL is generally used to verify that pointer parameters 
passed to a more trusted procedure are not allowed to 
use data at a more privileged level than the caller (refer 
to pointer testing instructions). 

Descriptor Access and Privilege Validation 

Determining the ability of a task to access a segment 
involves the type of segment to be accessed, the in- 
struction used, the type of descriptor used and CPL, 
RPL, and DPL. The two basic types of segment ac- 
cesses are control transfer (selectors loaded into CS) 
and data (selectors loaded into DS, ES or SS). 

DATA SEGMENT ACCESS 

Instructions that load selectors into DS and ES must 
refer to a data segment descriptor or readable code seg- 
ment descriptor. The CPL of the task and the RPL of the 
selector must be the same as or more privileged (nu- 
merically equal to or lower than) than the descriptor DPL. 
In general, a task can only access data segments at the 
same or less privileged levels than the CPL or RPL 
(whichever is numerically higher) to prevent a program 
from accessing data it cannot be trusted to use. 

An exception to the rule is a readable conforming code 
segment. This type of code segment can be read from 
any privilege level. 

If the privilege checks fail (e.g. DPL is numerically less 
than the maximum of CPL and RPL) or an incorrect type 
of descriptor is referenced (e.g. gate descriptor or exe- 
cute only code segment) exception 1 3 occurs. If the seg- 
ment is not present, exception 11 is generated. 



19 



AFN-02060A 



iapx 286/10 omf®™^yo®m 



Instructions that load selectors into SS must refer to data 
segment descriptors for writable data segments. The 
descriptor privilege (DPL) and RPL must equal CPL. All 
other descriptor types or a privilege level violation will 
cause exception 13. A not present fault causes excep- 
tion^. 

CONTROL TRANSFER 

Four types of control transfer can occur when a selector 
is loaded into CS by a control transfer operation (see 
Table 10). Each transfer type can only occur if the oper- 
ation which loaded the selector references the correct 
descriptor type. Any violation of these descriptor usage 
rules (e.g. JMP through a call gate or RET to aTask State 
Segment) will cause exception 13. 

The ability to reference a descriptor for control transfer 
is also subject to rules of privilege. A CALL or JUMP 
instruction may only reference a code segment descrip- 
tor with DPL equal to the task CPL or a conforming seg- 
ment with DPL of equal or greater privilege than CPL. 
The RPL of the selector used to reference the code de- 
scriptor must have as much privilege as CPL. 

RET and IRET instructions may only reference code 
segment descriptors with descriptor privilege equal to or 
less privileged than the task CPL. The selector loaded 
into CS is the return address from the stack. After the 
return, the selector RPL is the task's new CPL. If CPL 
changes, the old stack pointer is popped after the return 
address. 

When a JMP or CALL references a Task State Segment 
descriptor, the descriptor DPL must be the same or less 
privileged than the task's CPL. Reference to a valid Task 



State Segment descriptor causes a task switch (see Task 
Switch Operation). Reference to a Task State Segment 
descriptor at a more privileged level than the task's CPL 
generates exception 13. 

When an instruction or interrupt references a gate de- 
scriptor, the gate DPL must have the same or less privi- 
lege than the task CPL. If DPL is at a more privileged 
level than CPL, exception 13 occurs. If the destination 
selector contained in the gate references a code seg- 
ment descriptor, the code segment descriptor DPL must 
be the same or more privileged than the task CPL. If not, 
Exception 13 is issued. After the control transfer, the 
code segment descriptors DPL is the task's new CPL. If 
the destination selector in the gate references a task 
state segment, a task switch is automatically performed 
(see Task Switch Operation). 

The privilege rules on control transfer require: 

— JMP or CALL direct to a code segment (code seg- 
ment descriptor) can only be to a conforming segment 
with DPL of equal or greater privilege than CPL or a 
non-conforming segment at the same privilege level. 

— interrupts within the task or calls that may change 
privilege levels, can only transfer control through a 
gate at the same or a less privileged level than CPL to 
a code segment at the same or more privileged level 
than CPL. 

— return instructions that don't switch tasks can only re- 
turn control to a code segment at the same or less 
privileged level. 

— task switch can be performed by a call, jump or inter- 
rupt which references either a task gate or task state 
segment at the same or less privileged level. 



Table 10. Descriptor Access Rules for Control Transfer 



Control Transfer Types 


Operation Types 


Descriptor 
Referenced 


Descriptor 
Table 


Intersegment within the same privilege level 


JMP, CALL, RET, IRET* 


Code Segment 


GDT/LDT 


Intersegment to the same or higher privilege level Interrupt 
within task may change CPL. 


CALL 


Call Gate 


GDT/LDT 


Interrupt Instruction, 
Exception, External 
Interrupt 


Trap or 

Interrupt 

Gate 


IDT 


Intersegment to a lower privilege level (changes task CPL) 


RET, IRET* 


Code Segment 


GDT/LDT 


Task Switch 


CALL, JMP 


Task State 
Segment 


GDT 


CALL, JMP 


Task Gate 


GDT/LDT 


IRET** 

Interrupt Instruction, 
Exception, External 
Interrupt 


Task Gate 


IDT 



"NT (Nested Task bit of flag word) = 
*NT (Nested Task bit of flag word) = 1 
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PRIVILEGE LEVEL CHANGES 

Any control transfer that changes CPL within the task, 
causes a change of stacks as part of the operation. Initial 
values of SS:SP for privilege levels 0, 1 , and 2 are kept 
in the task state segment (refer to Task Switch Opera- 
tion). During a JMP or CALL control transfer, the new 
stack pointer is loaded into the SS and SP registers and 
the previous stack pointer is pushed onto the new stack. 

When returning to the original privilege level, its stack is 
restored as part of the RET or IRET instruction opera- 
tion. For subroutine calls that pass parameters on the 
stack and cross privilege levels, a fixed number of words, 
as specified in the gate, are copied from the previous 
stack to the current stack. The inter-segment RET in- 
struction with a stack adjustment value will correctly re- 
store the previous stack pointer upon return. 

Protection 

The 80286 includes mechanisms to protect critical in- 
structions that affect the CPU execution state (e.g. HLT) 
and code or data segments from improper usage. These 
mechanisms are grouped under the term "protection" 
and have three forms: 

Restricted usage of segments (e.g. no write allowed 
to read-only data segments). The only segments 
available for use are defined by descriptors in the Lo- 
cal Descriptor Table (LDT) and Global Descriptor Ta- 
ble (GDT). 

Restricted access to segments via the rules of privi- 
lege and descriptor usage. 

Privileged instructions or operations that may only be 
executed at certain privilege levels as determined by 
the CPL and I/O Privilege Level (IOPL). The IOPL is 
defined by bits 14 and 13 of the flag word. 

These checks are performed for all instructions and can 
be split into three categories: segment load checks (Ta- 
ble 11), operand reference checks (Table 12), and privi- 
leged instruction checks (Table 13). Any violation of the 
rules shown will result in an exception. A not-present 
exception related to the stack segment causes excep- 
tion 12. 

The IRET and POPF instructions do not perform some 
of their defined functions if CPL is not of sufficient privi- 
lege (numerically small enough). No exceptions or other 
indication are given when these conditions occur. 

The IF bit is not changed if CPL > IOPL. 

The IOPL field of the flag word is not changed if CPL 

>0. 



Table 11 

Segment Register Load Checks 



Error Description 


Exception 
Number 


Descriptor table limit exceeded 


13 


Segment descriptor not-present 


11 or12 


Privilege rules violated 


13 


Invalid descriptor/segment type seg- 
ment register load: 
— Read only data segment load to 
SS 

— Special control descriptor load to 

DS, ES, SS 
— Execute only segment load to 

DS, ES.SS 
— Data segment load to CS 
— Read/Execute code segment 

load to SS 


13 


Table 12. Operand Reference Checks 


Error Description 


Exception 
Number 


Write into code segment 
Read from execute-only code 
segment 

Write to read-only data segment 
Segment limit exceeded 1 


13 

13 
13 

12or13 


Note 1 : Carry out in offset calculations is ignored. 

Table 13. Privileged Instruction Checks 


Error Description 


Exception 
Number 


CPL =£ when executing the following 
instructions: 

LIDT, LLDT, LGDT, LTR, LMSW, 

CTS, HLT 


13 


CPL > IOPL when executing the fol- 
lowing instructions: 

INS, IN, OUTS, OUT, STI, CLI, 

LOCK 


13 



EXCEPTIONS 

The 80286 detects several types of exceptions and in- 
terrupts, in protected mode (see Table 14). Most are re- 
startable after the exceptional condition is removed. 
Interrupt handlers for most exceptions receive an error 
code, pushed on the stack after the return address, that 
identifies the selector involved (0 if none). The return 
address normally points to the failing instruction, includ- 
ing all leading prefixes. For a processor extension seg- 
ment overrun exception, the return address will not point 
at the ESC instruction that caused the exception; how- 
ever, the processor extension registers may contain the 
address of the failing instruction. 
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Table 14. Protected Mode Exceptions 



Interrupt 
Vector 


Function 


Return 
Address 
At Failing 
Instruction? 


Ml Way o 

Restart- 
able? 


Error 

Code 
on Stack? 


8 


Double exception detected 


Yes 


No 


Yes 


9 


Processor extension segment overrun 


No 


No 


No 


10 


Invalid task state segment 


Yes 


Yes 


Yes 


11 


Segment not present 


Yes 


Yes 


Yes 


12 


Stack segment overrun or segment not present 


Yes 


Yesl 


Yes 


13 


General protection 


Yes 


No 


Yes 



Note 1 : When a PUSHA or POPA instruction attempts to wrap around the stack segment, the machine state after the exception will not be 
restartable. This condition is identified by the value of the saved SP being either 0000(H), 0001 (H), FFFE(H), or FFFF(H). 



All these checks are performed for all instructions and 
can be split into three categories: segment load checks 
(Table 11), operand reference checks (Table 12), and 
privileged instruction checks (Table 13). Any violation of 
the rules shown will result in an exception. A not-present 
exception related to the stack segment causes excep- 
tion 12. 

Special Operations 

TASK SWITCH OPERATION 

The 80286 provides a built-in task switch operation which 
saves the entire 80286 execution state (registers, ad- 
dress space, and a link to the previous task), loads a 
new execution state, and commences execution in the 
new task. Like gates, the task switch operation is in- 
voked by executing an inter-segment JMP or CALL in- 
struction which refers to a Task State Segment (TSS) or 
task gate descriptor in the GDT or LDT An INT n instruc- 
tion, exception, or external interrupt may also invoke the 
task switch operation by selecting a task gate descriptor 
in the associated IDT descriptor entry. 

The TSS descriptor points at a segment (see Figure 20) 
containing the entire 80286 execution state while a task 
gate descriptor contains a TSS selector. The limit field 
must be>002B(H). 

Each task must have a TSS associated with it. The cur- 
rent TSS is identified by a special register in the 80286 
called the Task Register (TR). This register contains a 
selector referring to the task state segment descriptor 
that defines the current TSS. A hidden base and limit 
register associated with TR are loaded whenever TR is 
loaded with a new selector. 

The IRET instruction is used to return control to the task 
that called the current task or was interrupted. Bit 14 in 
the flag register is called the Nested Task (NT) bit. It 
controls the function of the IRET instruction. If NT = 0, 
the IRET instruction performs the regular current task 
return; when NT = 1 , IRET performs a task switch op- 
eration back to the previous task. 



When a CALL or INT instruction initiates a task switch, 
the old and new TSS will be marked busy and the back 
link field of the new TSS set to the old TSS selector. The 
NT bit of the new task is set by CALL or INT initiated task 
switches. An interrupt that does not cause a task switch 
will clear NT. NT may also be set or cleared by POPF or 
IRET instructions. 

The task state segment is marked busy by changing the 
descriptor type field from Type 1 to Type 3. Use of a 
selector that references a busy task state segment causes 
Exception 13. 

PROCESSOR EXTENSION CONTEXT SWITCHING 

The context of a processor extension (such as the 80287 
numerics processor) is not changed by the task switch 
operation. A processor extension context need only be 
changed when a different task attempts to use the pro- 
cessor extension (which still contains the context of a 
previous task). The 80286 detects the first use of a pro- 
cessor extension after a task switch by causing the pro- 
cessor extension not present exception (7). The interrupt 
handler may then decide whether a context change is 
necessary. 

Whenever the 80286 switches tasks, it sets the Task 
Switched (TS) bit of the MSW. TS indicates that a pro- 
cessor extension context may belong to a different task 
than the current one. The processor extension not pres- 
ent exception (7) will occur when attempting to execute 
an ESC or WAIT instruction if TS = 1 and a processor 
extension is present (MP = 1 in MSW). 

POINTER TESTING INSTRUCTIONS 

The iAPX 80286 provides several instructions to speed 
pointer testing and consistency checks for maintaining 
system integrity (see Table 15). These instructions use 
the memory management hardware to verify that a se- 
lector value refers to an appropriate segment without 
risking an exception. A condition flag indicates whether 
use of the selector or segment will cause an exception. 
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CPU 



TASK REGISTER 
TR 



15 

PROGRAM INVISIBLE 

15 



LIMIT 
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SYSTEM 

SEGMENT 

DESCRIPTOR 



TASK 
STATE 
SEGMENT 



INTEL RESERVED 



D 






P 





TYPE 


L 




111 



BASE23-16 



BASEi5_o 
I 



LIMIT 15 -o 
I 



TASK LDT SELECTOR 



DS SELECTOR 



SS SELECTOR 



CS SELECTOR 



ES SELECTOR 



BP 



FLAG WORD 



IP (ENTRY POINT) 



SS FOR CPL 2 



SP FOR CPL 2 



SS FOR CPL 1 



SP FOR CPL 1 



SS FOR CPL 



SP FOR CPL 



BACK LINK SELECTOR TO TSS 



__J 



TYPE 


DESCRIPTION 


1 


AN AVAILABLE TASK STATE 
SEGMENT. MAY BE USED AS 
THE DESTINATION OF A TASK 
SWITCH OPERATION. 


3 


A BUSY TASK STATE SEGMENT. 
CANNOT BE USED AS THE 
DESTINATION OF A TASK 
SWITCH. 



P 


DESCRIPTION 


1 


BASE AND LIMIT FIELDS ARE VALID 





SEGMENT IS NOT PRESENT IN 
MEMORY, BASE AND LIMIT ARE NOT 
DEFINED 



CURRENT 
> TASK 
STATE 



BYTE 
OFFSET 

42 
40 
38 
36 
34 
32 
30 
28 
26 
24 
22 
20 
18 
16 
14 
12 
10 



INITIAL 
) STACKS 
' FOR CPL 0,1,2 



Figure 20. Task State Segment and TSS Registers 
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Table 15. Pointer Test Instructions 



Instruction 


Operands 


Function 


ARPL 


Selector, 
Register 


Adjust Requested Privi- 
lege Level: adjusts the RPL 
of the selector to the nu- 
meric maximum of current 
selector RPL value and the 
RPL value in the register. 
Set zero flag if selector RPL 
was changed. 


VERR 


Selector 


VERify for Read: sets the 
zero flag if the segment re- 
ferred to by the selector can 
be read. 


VERW 


Selector 


VERify for Write: sets the 
zero flag if the segment re- 
ferred to by the selector can 
be written. 


LSL 


Register, 
Selector 


Load Segment Limit: reads 
the segment limit into the 
register if privilege rules and 
descriptor type allow. Set 
zero flag if successful. 


LAR 


Register, 
Selector 


Load Access Rights: reads 
the descriptor access rights 
byte into the register if priv- 
ilege rules allow. Set zero 
flag if successful. 



DOUBLE FAULT AND SHUTDOWN 

If two separate exceptions are detected during a single 
instruction execution, the 80286 performs the double 
fault exception (8). If an exception occurs during pro- 
cessing of the double fault exception, the 82086 will en- 
ter shutdown. During shutdown no further instructions 
or exceptions are processed. Either NMI (CPU remains 
in protected mode) or RESET (CPU exits protected mode) 
can force the 80286 out of shutdown. Shutdown is exter- 
nally signalled via a HALT bus operation with A-\ HIGH. 

PROTECTED MODE INITIALIZATION 

The 80286 initially executes in real address mode after 
RESET. To allow initialization code to be placed at the 
top of physical memory, A 2 3_2o wi" be HIGH when the 
80286 performs memory references relative to the CS 
register, until CS is changed. A23-20 wi H De zer0 f° r ref- 
erences to the DS, ES, or SS segments. Changing CS 
in real address mode will force A23-A20 LOW whenever 
using CS thereafter. The initial CS:IP value of FF00:FFF0 
provides 64K bytes of code space for initialization code 
without changing CS. 

Before placing the 80286 into protected mode, several 
registers must be initialized. The GDT and IDT base reg- 
isters must refer to a valid GDT and IDT. After executing 
the LMSW instruction to set PE, the 80286 must imme- 
diately execute an intra-segment JMP instruction to clear 
the instruction queue of instructions decoded in real ad- 
dress mode. 



To force the 80286 CPU registers to match the initial 
protected mode state assumed by software, execute a 
JMP instruction with a selector referring to the initial TSS 
used in the system. This will load the task register, local 
descriptor table register, segment registers and initial 
general register state. The TR should point at a valid 
TSS since a task switch operation involves saving the 
current task state. 

SYSTEM INTERFACE 

The 80286 system interface appears in two forms: a 
local bus and a system bus. The local bus consists of 
address, data, status, and control signals at the pins of 
the CPU. A system bus is any buffered version of the 
local bus. A system bus may also differ from the local 
bus in terms of coding of status and control lines and/or 
timing and loading of signals. The iAPX 286 family in- 
cludes several devices to generate standard system 
buses such as the IEEE 796 standard Multibus™ . 

Bus Interface Signals and Timing 

The iAPX 286 microsystem local bus interfaces the 80286 
to local memory and I/O components. The interface has 
24 address lines, 16 data lines, and 8 status and control 
signals. 

The 80286 CPU, 82284 clock generator, 82288 bus con- 
troller, 82289 bus arbiter, 8286/7 transceivers, and 8282/ 
3 latches provide a buffered and decoded system bus 
interface. The 82284 generates the system clock and 
synchronizes READY and RESET. The 82288 converts 
bus operation status encoded by the 80286 into com- 
mand and bus control signals. The 82289 bus arbiter 
generates multibus bus arbitration signals. These com- 
ponents can provide the timing and electrical power drive 
levels required for most system bus interfaces including 
the multibus. 

Physical Memory and I/O Interface 

A maximum of 16 megabytes of physical memory can 
be addressed in protected mode. One megabyte can be 
addressed in real address mode. Memory is accessible 
as bytes or words. Words consist of any two consecutive 
bytes addressed with the least significant byte stored in 
the lowest address. 

Byte transfers occur on either half of the 1 6-bit local data 
bus. Even bytes are accessed over D 7 _ while odd bytes 
are transferred over D 15 _ 8 . Even-addressed words are 
transferred over Di 5 _ in one bus cycle, while odd-ad- 
dressed words require two bus operations. The first 
transfers data on D 15 _ 8 , and the second transfers data 
on D 7 _ . Both byte data transfers occur automatically, 
transparent to software. 

Two bus signals, A and BHE, control transfers over the 
lower and upper halves of the data bus. Even address 
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byte transfers are indicated by A LOW and BHE HIGH. 
Odd address byte transfers are indicated by A HIGH 
and BHE LOW. Both A and BHE are LOW for even ad- 
dress word transfers. 

The I/O address space contains 64K addresses in both 
modes. The I/O space is accessible as either bytes or 
words, as is memory. Byte wide peripheral devices may 
be attached to either the upper or lower byte of the data 
bus. Byte-wide I/O devices attached to the upper data 
byte (D-|5_ 8 ) are accessed with odd I/O addresses. De- 
vices on the lower data byte are accessed with even I/O 
addresses. An interrupt controller such as Intel's 8259A 
must be connected to the lower data byte (D 7 _ ) for proper 
return of the interrupt vector. 

Bus Operation 

The 80286 uses a double frequency system clock (CLK 
input) to control bus timing. All signals on the local bus 
are measured relative to the system CLK input. The CPU 
divides the system clock by 2 to produce the internal 
processor clock, which determines bus state. Each pro- 
cessor clock is composed of two system clock cycles 
named phase 1 and phase 2. The 82284 clock generator 
output (PCLK) identifies the next phase of the processor 
clock. (See Figure 21.) 



ONE PROCESSOR CLOCK CYCLE - 



ONE BUST STATE- 



PHASE 1 
-OF PROCESSOR - 
CLOCK CYCLE 



PHASE 2 
-OF PROCESSOR- 
CLOCK CYCLE 



j — \ r 



ONE SYSTEM 
CLK CYCLE 



V 



Figure 21 . System and Processor 
Clock Relationships 

Six types of bus operations are supported; memory read, 
memory write, I/O read, I/O write, interrupt acknowl- 
edge, and halt/shutdown. Data can be transferred at a 
maximum rate of one word per two processor clock cycles. 

The iAPX 286 bus has three basic states: idle (Tj), send 
status (T s ), and perform command (T c ). The 80286 CPU 
also has a fourth local bus state called hold (T h ). T h in- 
dicates that the 80286 has surrendered control of the 
local bus to another bus master in response to a HOLD 
request. 

Each bus state is one processor clock long. Figure 22 
shows the four 80286 local bus states and allowed 
transitions. 



NEW CYCLE • HLDA 




HLDA • NEW CYCLE 



READY 



READY • NEW CYCLE 



Figure 22. 80286 Bus States 
Bus States 

The idle (Tj) state indicates that no data transfers are in 
progress or requested. The first active state, T s is sig- 
nalled by either status line ST or SO going LOW also 
identifying phase 1 of the processor clock. During T s , 
the command encoding, the address, and data (for a 
write operation) are available on the 80286 output pins. 
The 82288 bus controller decodes the status signals and 
generates Multibus compatible read/write command and 
local transceiver control signals. 

After T s , the perform command (T c ) state is entered. 
Memory or I/O devices respond to the bus operation 
during T c , either transferring read data to the CPU or 
accepting write data. T c states may be repeated as often 
as necessary to assure sufficient time for the memory or 
I/O device to respond. The READY signal determines 
whether T c is repeated. 

During hold (T h ), the 80286 will float all address, data, 
and status output pins enabling another bus master to 
use the local bus. The 80286 HOLD input signal is used 
to place the 80286 into the T h state. The 80286 HLDA 
output signal indicates that the CPU has entered T h . 

Pipelined Addressing 

The 80286 uses a local bus interface with pipelined tim- 
ing to allow as much time as possible for data access. 
Pipelined timing allows bus operations to be performed 
in two processor cycles, while allowing each individual 
bus operation to last for three processor cycles. 

The timing of the address outputs is pipelined such that 
the address of the next bus operation becomes available 
during the current bus operation. Or in other words, the 
first clock of the next bus operation is overlapped with 
the last clock of the current bus operation. Therefore, 
address decode and routing logic can operate in ad- 
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Figure 23. 

vance of the next bus operation. External address latches 
may hold the address stable for the entire bus operation, 
and provide additional AC and DC buffering. 

The 80286 does not maintain the address of the current 
bus operation during all T c states. Instead, the address 
for the next bus operation may be emitted during phase 
2 of any T c . The address remains valid during phase 1 
of the first T c to guarantee hold time, relative to ALE, for 
the address latch inputs. 

Bus Control Signals 

The 82288 bus controller provides control signals; ad- 
dress latch enable (ALE), Read/Write commands, data 
transmit/receive (DT/R), and data enable (DEN) that 
control the address latches, data transceivers, write en- 
able, and output enable for memory and I/O systems. 

The Address Latch Enable (ALE) output determines when 
the address may be latched. ALE provides at least one 
system CLK period of address hold time from the end of 
the previous bus operation until the address for the next 
bus operation appears at the latch outputs. This address 
hold time is required to support Multibus® and common 
memory systems. 

The data bus transceivers are controlled by 82288 out- 
puts Data Enable (DEN) and Data Transmit/Receive (DT/ 
R). DEN enables the data transceivers; while DT/R con- 
trols transceiver direction. DEN and DT/R are timed to 
prevent bus contention between the bus master, data 
bus transceivers, and system data bus tranceivers. 



<Z y 

VALID READ VALID READ 

DATA (N) DATA (N + 1) 



ic Bus Cycle 

Command Timing Controls 

Two system timing customization options, command ex- 
tension and command delay, are provided on the iAPX 
286 local bus. 

Command extension allows additional time for external 
devices to respond to a command and is analogous to 
inserting wait states on the 8086. External logic can con- 
trol the duration of any bus operation such that the op- 
eration is only as long as necessary. The READY input 
signal can extend any bus operation for as long as 
necessary. 

Command delay allows an increase of address or write 
data setup time to system bus command active for any 
bus operation by delaying when the system bus com- 
mand becomes active. Command delay is controlled by 
the 82288 CMDLY input. After T s , the bus controller 
samples CMDLY at each failing edge of CLK. If CMDLY 
is HIGH, the 82288 will not activate the command signal. 
When CMDLY is LOW, the 82288 will activate the com- 
mand signal. After the command becomes active, the 
CMDLY input is not sampled. 

When a command is delayed, the available response 
time from command active to return read data or accept 
write data is less. To customize system bus timing, an 
address decoder can determine which bus operations 
require delaying the command. The CMDLY input does 
not affect the timing of ALE, DEN, or DT/R. 
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Figure 24. CMDLY Controls and Leading Edge of the Command 



Figure 24 illustrates four uses of CMDLY. Example 1 
shows delaying the read command two system CLKs for 
cycle N-1 and no delay for cycle N, and example 2 shows 
delaying the read command one system CLK for cycle 
N-1 and one system CLK delay for cycle N. 

Bus Cycle Termination 

At maximum transfer rates, the iAPX 286 bus alternates 
between the status and command states. The bus status 
signals become inactive after T s so that they may cor- 
rectly signal the start of the next bus operation after the 
completion of the current cycle. No external indication of 
T c exists on the iAPX 286 local bus. The bus master and 
bus controller enter T c directly after T s and continue ex- 
ecuting T c cycles until terminated by READY. 



current bus operation. The bus master and bus control- 
ler must see the same sense of the READY signal, thereby 
requiring READY be synchronous to the system clock. 

Synchronous Ready 



READY Operation 

The current bus master and 82288 bus controller termi- 
nate each bus operation simultaneously to achieve 
maximum bus bandwidth. Both are informed in advance 
by READY active which identifies the last T c cycle of the 



The 82284 clock generator provides READY synchro- 
nization from both synchronous and asynchronous 
sources (see Figure 25). The synchronous ready input 
(SRDY) of the clock generator is sampled with the falling 
edge of CLK at the end of phase 1 of each T c . The state 
of SRDY is then broadcast to the bus master and bus 
controller via the READY output line. 

Asynchronous Ready 

Many systems have devices or subsystems that are 
asynchronous to the system clock. As a result, their ready 
outputs cannot be guaranteed to meet the 82284 SRDY 
setup and hold time requirements. The 82284 asynchro- 
nous ready input (ARDY) is designed to accept such 
signals. The ARDY input is sampled at the beginning of 
each T c cycle by 82284 synchronization logic. This pro- 
vides a system CLK cycle time to resolve its value before 
broadcasting it to the bus master and bus controller. 
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NOTES: 



1. S RDYEN is active low 

2. If SRDYE N is high, the state of SRDY will not effect READY 

3. ARDYEN is active low 



Figure 25. Synchronous and Asynchronous Ready 



Each ready input of the 82284 has an enable pin 
(SRDYEN and ARDYEN) to select whether the current 
bus operation will be terminated by the synchronous or 
asynchronous ready. Either of the ready inputs may ter- 
minate a bus operation. These enable inputs are active 
low and have the same timing as their respective ready 
inputs. Address decode logic usually selects whether 
the current bus operation should be terminated by ARDY 
or SRDY. 

Data Bus Control 

Figures 26, 27, and 28 show how the DT/R, DEN, data 
bus, and address signals operate for different combina- 
tions of read, write, and idle bus operations. DT/R goes 
active (LOW) for a read operaton. DT/R remains HIGH 
before, during, and between write operations. 

The data bus is driven with write data during the second 
phase of T s . The delay in write data timing allows the 



read data drivers, from a previous read cycle, sufficient 
time to enter 3-state OFF before the 80286 CPU begins 
driving the local data bus for write operations. Write data 
will always remain valid for one system clock past the 
last T c to provide sufficient hold time for Multibus or other 
similar memory or I/O systems. During write-read or write- 
idle sequences the data bus enters 3-state OFF during 
the second phase of the processor cycle after the last 
T c . In a write-write sequence the data bus does not enter 
3-state OFF between T c and T s . 

Bus Usage 

The 80286 local bus may be used for several functions: 
instruction data transfers, data transfers by other bus 
masters, instruction fetching, processor extension data 
transfers, interrupt acknowledge, and halt/shutdown. This 
section describes local bus activities which have special 
signals or requirements. 
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Figure 27. Back to Back Write-Read Cycles 
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Figure 28. Back to Back Write-Write Cycles 



HOLD and HOLDA 

HOLD and HLDA allow another bus master to gain con- 
trol of the local bus by placing the 80286 bus into the T h 
state. The sequence of events required to pass control 
between the 80286 and another local bus master are 
shown in Figure 29. 

In this example, the 80286 is initially in the Th state as 
signaled by HLDA being active. Upon leaving Th, as sig- 
naled by HLDA going inactive, a write operation is started. 
During the write operation another local bus master re- 
quests the local bus from the 80286 as shown by the 
HOLD signal. After completing the write operation, the 
80286 performs one Tj bus cycle, to guarantee write data 
hold time, then enters Th as signaled by HLDA going 
active. 

The CMDLY signal and ARDY ready are used to start 
and stop the write bus command, respectively. Note that 
SRDY must be inactive or disabled by SRDYEN to guar- 
antee ARDY will terminate the cycle. 

Instruction Fetching 

The 80286 Bus Unit (BU) will fetch instructions ahead of 
the current instruction being executed. This activity is 
called prefetching. It occurs when the local bus would 
otherwise be idle and obeys the following rules: 



A prefetch bus operation starts when at least two bytes 
of the 6-byte prefetch queue are empty. 

The prefetcher normally performs word prefetches in- 
dependent of the byte alignment of the code segment 
base in physical memory. 

The prefetcher will perform only a byte code fetch op- 
eration for control transfers to an instruction beginning 
on a numerically odd physical address. 

Prefetching stops whenever a control transfer or HLT 
instruction is^decoded by the IU and placed into the 
instruction queue. 

In real address mode, the prefetcher may fetch up to 
5 bytes beyond the last control transfer or HLT instruc- 
tion in a code segment. 

In protected mode, the prefetcher will never cause a 
segment overrun exception. The prefetcher stops at 
the last physical memory word of the code segment. 
Exception 13 will occur if the program attempts to ex- 
ecute beyond the last full instruction in the code 
segment. 

If the last byte of a code segment appears on an even 
physical memory address, the prefetcher will read the 
next physical byte of memory (perform a word code 
fetch). The value of this byte is ignored and any at- 
tempt to execute it causes exception 1 3. 
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NOTES: 

1 . Status lines are not driven by 80286, yet remain high due to pullup resistors in 82288 and 82289 during HOLD state. 

2. Address, M/IO and COD/INTA may start floating during any TC depending on when internal 80286 bus arbiter decides to release bus to 
external HOLD. The float starts in cf>2 of TC. 



3. BHE and LOCK may start floating after the end of any TC depending on when internal 80286 bus arbiter decides to release bus to 
external HOLD. 

4. The minimum HOLD I to HLDA I time is shown. Maximus is one T H longer. 

5. The earliest HOLD f time is shown which will always allow a subsequent memory cycle if pending. 

6. The minimum HOLD f to HLDA * time is shown. Maximum is a function of the instruction, type of bus cycle and other machine status 
(i.e., Interrupts, Waits, Lock, etc.) 

7. Asynchronous ready allows termination of the cycle. Synchronous ready does not signal ready in this example. Synchronous ready state 
is ignored after ready is signaled via the asynchronous input. 



Figure 29. Multibus Write Terminated by Asynchronous Ready 
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Processor Extension Transfers 

The processor extension interface uses I/O port ad- 
dresses 00F8(H), OOFA(H), and OOFC(H) which are part 
of the I/O port address range reserved by Intel. An ESC 
instruction with EM = and TS = will perform I/O bus 
operations to one or more of these I/O port addresses 
independent of the value of IOPL and CPL. 

ESC instructions with memory references enable the 
CPU to accept PEREQ inputs for processor extension 
operand transfers. The CPU will determine the operand 
starting address and read/write status of the instruction. 
For each operand transfer, two or three bus operations 
are performed, one word transfer with I/O port address 
OOFA(H) and one or two bus operations with memory. 
Three bus operations are required for each word oper- 
and aligned on an odd byte address. 

Interrupt Acknowledge Sequence 

Figure 30 illustrates an interrupt acknowledge se- 
quence performed by the 80286 in response to an INTR 
input. An interrupt acknowledge sequence consists of 
two INTA bus operations. The first allows a master 8259A 
Programmable Interrupt Controller (PIC) to determine 
which if any of its slaves should return the interrupt vec- 
tor. An eight bit vector is read by the 80286 during the 
second INTA bus operation to select an interrupt han- 
dler routine from the interrupt table. 

The Master Cascade Enable (MCE) signal of the 82288 
is used to enable the cascade address drivers, during 
INTA bus operations (See Figure 30), onto the local ad- 
dress busfor distribution to slave interrupt controllers via 
the system address bus. The 80286 emits the LOCK 
signal (active LOW) during T s of the first INTA bus oper- 
ation. A local bus "hold" request will not be honored until 
the end of the second INTA bus operation. 

Three idle processor clocks are provided by the 80286 
between INTA bus operations to allow for the minimum 
INTA to INTA time and CAS (cascade address) out delay 
of the 8259A. The second INTA bus operation must al- 
ways have at least one extra T c state added via logic 
controlling READY. A 2 3-A are in 3-state OFF until after 
the first T c state of the second INTA bus operation. This 
prevents bus contention between the cascade address 
drivers and CPU address drivers. The extra T c state al- 
lows time for the 80286 to resume driving the address 
lines for subsequent bus operations. 
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Local Bus Usage Priorities 

The 80286 local bus is shared among several internal 
units and external HOLD requests. In case of simulta- 
neous requests, their relative priorities are: 



(Highest) Any transfers which assert LOCK either ex- 
plicitly (via the LOCK instruction prefix) or 
implicitly (i.e. segment descriptor access, 
interrupt acknowledge sequence, or an 
XCHG with memory). 

The second of the two byte bus operations 
required for an odd aligned word operand. 

Local bus request via HOLD input. 

Processor extension data operand transfer 
via PEREQ input. 

Data transfer performed by EU as part of an 
instruction. 

(Lowest) An instruction prefetch request from BU. The 
EU will inhibit prefetching two processor 
clocks in advance of any data transfers to 
minimize waiting by EU for a prefetch to finish. 

Halt or Shutdown Cycles 

The 80286 externally indicates halt or shutdown condi- 
tions as a bus operation. These conditions occur due to 
a HLT instruction or multiple protection exceptions while 
attempting to execute one instruction. A halt or shut- 
down bus operation is signalled when ST, SO and COD/ 
TTTTA are LOW and M/lU is HIGH. HIGH indicates 
halt, and Ai LOW indicates shutdown. The 82288 bus 
controller does not issue ALE, nor is READY required to 
terminate a halt or shutdown bus operation. 

During halt or shutdown, the 80286 may service PEREQ 
or HOLD requests. A processor extension segment 
overrun exception during shutdown will inhibit further 
service of PEREQ. Either NMI or RESET will force the 
80286 out of either halt or shutdown. An INTR, if inter- 
rupts are enabled, or a processor extension segment 
overrun exception will also force the 80286 out of halt. 
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NOTES: 

1. Data is ignored. 

2. First INTA cycle should have at least one wait state inserted to meet 8259A minimum INTA pulse width. 

3. Second INTA cycle must have at least one wait state inserted since the CPU will not drive A 23 - Aq, BHE, and LOCK until after the first 
TC state. 

The CPU imposed one/clock delay prevents bus contention between cascade address buffer being disabled by MCE I and address 
outputs. 

Without the wait state, the 80286 address will not be valid for a memory cycle started immediately after the second INTA cycle. The 
8259A also requires one wait state for minimum INTA pulse width. 

4. LOCK is active for the first INTA cycle to prevent the 82289 from releasing the bus between INTA cycles in a multi-master system. 

5. A 23 - A exits 3-state OFF during </>2 of the second T c in the INTA cycle. 



Figure 30. Interrupt Acknowledge Sequence 
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Figure 31 . Basic iAPX 286 System Configuration 



SYSTEM CONFIGURATIONS 

The versatile bus structure of the iAPX 286 microsys- 
tem, with a full complement of support chips, allows flex- 
ible configuration of a wide range of systems. The basic 
configuration, shown in Figure 31 , is similar to an iAPX 
86 maximum mode system. It includes the CPU plus an 
8259A interrupt controller, 82284 clock generator, and 
the 82288 Bus Controller. The iAPX 86 latches (8282 
and 8283) and transceivers (8286 and 8287) may be 
used in an iAPX 286 microsystem. 

As indicated by the dashed lines in Figure 31 , the ability 
to add processor extensions is an integral feature of iAPX 
286 microsystems. The processor extension interface 
allows external hardware to perform special functions 
and transfer data concurrent with CPU execution of other 
instructions. Full system integrity is maintained because 
the 80286 supervises all data transfers and instruction 
execution for the processor extension. 

The iAPX 286/20 numeric data processor which in- 
cludes the 80287 numeric processor extension (NPX) 



uses this interface. The iAPX 286/20 has all the instruc- 
tions and data types of an iAPX 86/20 or iAPX 88/20. 
The 80287 NPX can perform numeric calculations and 
data transfers concurrently with CPU program execu- 
tion. Numerics code and data have the same integrity as 
all other information protected by the iAPX 286 protec- 
tion mechanism. 

The 80286 can overlap chip select decoding and ad- 
dress propagation during the data transfer for the pre- 
vious bus operation. This information is latched into the 
8282/3's by ALE during the middle of a T s cycle. The 
latched chip select and address information remains 
stable during the bus operation while the next cycles 
address is being decoded and propagated into the sys- 
tem. Decode logic can be implemented with a high speed 
bipolar PROM. 

The optional decode logic shown in Figure 31 takes ad- 
vantage of the overlap between address and data of the 
80286 bus cycle to generate advanced memory and IO- 
select signals. This minimizes system performance 
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Figure 32. Multibus System Bus Interface 



degradation caused by address propogation and de- 
code delays. In addition to selecting memory and I/O, 
the advanced selects may be used with configurations 
supporting local and system buses to enable the appro- 
priate bus interface for each bus cycle. The COD/ INTA 
and M/TO signals are applied to the decode logic to dis- 
tinguish between interrupt, I/O, code and data bus cycles. 

By adding the 82289 bus arbiter chip the 80286 provides 
a Multibus system bus interface as shown in Figure 32. 
The ALE output of the 82288 for the Multibus bus is 



connected to its CMDLY input to delay the start of com- 
mands one system CLK as required to meet Multibus 
address and write data setup times. This arrangement 
will add at least one extra T c state to each bus operation 
which uses the Multibus. 

A second 82288 bus controller and additional latches 
and transceivers could be added to the local bus of Fig- 
ure 32. This configuration allows the 80286 to support 
an on-board bus for local memory and peripherals, and 
the Multibus for system bus interfacing. 
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8287 



Do-15 



DTR r» 



CPU 



82288 
BUS 
CONTROLLER 



DATA 



DEN 



HDH 



82284 
CLOCK 
GENERATOR 



7S 




DRAM 

2118, 2164 



MHO, SO, SI 
LOCK 



l> 



Ao-23 



LOCAL 
SELECT 



8207 
DRAM 
CONTROL 



<=> 



DATA 



■ MULTIBUS SELECT 



MULTIBUS 
COMMAND 

(MRDC. MWTC. LOCK) 



SELECT 



ADDRESS 



Figure 33. iAPX 286 System Configuration with Dual-Ported Memory 



Figure 33 shows the addition of dual ported dynamic 
memory between the Multibus system bus and the iAPX 
286 local bus. The dual port interface is provided by the 
8207 Dual Port DRAM Controller. The 8207 runs syn- 
chronously with the CPU to maximize throughput for lo- 
cal memory references. It also arbitrates between 
requests from the local and system buses and performs 



functions such as refresh, initialization of RAM, and read/ 
modify/write cycles. The 8207 combined with the 8206 
Error Checking and Correction memory controller pro- 
vide for single bit error correction. The dual-ported 
memory can be combined with a standard Multibus sys- 
tem bus interface to maximize performance and protec- 
tion in multiprocessor system configurations. 
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PACKAGE 

The 80286 is packaged in a 68-pin, leadless JEDEC 
type A hermetic chip carrier. Figure 34 illustrates the 
package, and Figure 2 shows the pinout. 



.050 
(1.27) 



.800 
(20.32) 



.039 
(0.99) 



T 
1 



JUUUUUUUUUUUUUUUUUC 



g 
□ 

□ 
□ 
□ 
□ 

3 
3 
3 



PIN NO. 18 




c 
c 
c 
c 
c 
c 
c 
c 
c 

C 
c 
c 
c 



innnnnnnnnnnnnnnz 



.960 
(24.38) 



.960 
(24.38) 



-PIN NO 1 MARK 



.094 
■ (2.39) 



.066 
' (1-68) 



.130 
(3.30) 



Figure 34. 80286 JEDEC Type A Package 
ABSOLUTE MAXIMUM RATINGS* 



Ambient Temperature Under Bias 0°Cto70°C 

Storage Temperature - 65°C to + 1 50°C 

Voltage on Any Pin with 
Respect to Ground -0.3 to +7V 

Power Dissipation 3.6 Watt 

D.C. CHARACTERISTICS (80286: t a = o°cto70°c, v cc - 5V 



'NOTICE: Stresses above those listed under ' 'Absolute Max- 
imum Ratings" may cause permanent damage to the device. 
This is a stress rating only and functional operation of the de- 
vice at these or any other conditions above those indicated in 
the operational sections of this specification is not implied. 
Exposure to absolute maximum rating conditions for ex- 
tended periods may affect device reliability. 



10%) 



Symbol 


Parameter 


Min. 


Max. 


Units 


Test Conditions 


V|L 


Input Low Voltage 


-0.5 


+ 0.8 


V 




V| H 


Input High Voltage 


2.0 


Vqc + 0.5 


V 




Vol 


Output Low Voltage 




0.45 


V 


Iol = 3 mA 


V H 


Output High Voltage 


2.4 




V 


l H= -400 (xA 


ice 


Power Supply Current 




600 


mA 


T A = 25°C 


Ili 


Input Leakage Current 




±10 


fj,A 


0V =S V| N « V CC 


Ilo 


Output Leakage Current 




±10 


(j.A 


0.45V « Vqut * V CC 


Vol 


Clock Input Low voltage 


-0.5 


-0.6 


V 




Vch 


Clock Input High Voltage 


3.8 


V CC +10 


V 




C IN 


Capacitance of Inputs 
(All input except CLK) 




10 


pF 




c 


Capacitance of I/O or outputs 




20 


PF 


fc=1 MHz 


CCLK 


Capacitance of CLK Input 




12 


PF 


f c =1 MHz 
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A.C. CHARACTERISTICS (T A = o°c to 70°c, v cc = 5V ± 10%) 



80286 Timing Requirements 



oymDOl 


farameier 


Min 

Mm. 


nnax. 


1 Inite 

units 


lest oonamons 


-1 


oystem ciock penoo 


CO c 




ns 




o 


System clock low time 


1 O 


OQn 


ns 


ai .d voits 






oySTerri ciock nign Time 


on 




ns 


ai o.c. voiis 


A 


Ao\/nohrAnAi i<? inni it o^iti ii*\ t i m a 

Mbynoriruriuub inpui beiup urne 


on 




ns 


C aa noto *l 

Oct; r kj it? i 





Msyncnronous input noio time 






ns 


oee noie i 


6 


ritot 1 setup time 


ort 




ns 




1 


ntot 1 nolo time 


L) 




ns 







Read data in setup time 


10 




ns 




9 


Read data in hold time 


5 




ns 




10 


READY setup time 


38.5 




ns 




11 


READY hold time 


25 




nx 




12 


STATUS/PEACK valid delay 





40 


ns 




13 


Address valid delay 





60 


ns 




14 


Write data valid delay 





50 


ns 


C L = 100 Pfd max 


15 


Address/Status/Data float delay 





60 


ns 




16 


HLDA valid delay 





60 


ns 




82284 Timing Requirements 


Symbol 


Parameter 


Min. 


Max. 


Units 


Test Conditions 


17 


SRDY/SRDYEN setup time 


15 




ns 




18 


SRDY/SRDYEN hold time 







ns 




19 


ARDY/ARDYEN setup time 


-5 




ns 


See note 1 


20 


ARDY/ARDYEN hold time 


16 




ns 


See note 1 . 


21 


PCLK delay 





40 


ns 


C L = 75 pfd 
Iql = 5.25 ma 
Iqh = -1.05 ma 


NOTE 1 : These times are given for testing purposes to assure a predetermined action. 










82288 Timing Requirements 








Symbol 


Parameter 


Min. 


Max. 


Units 


Test Conditions 


22 


CMDLY setup time 


20 




ns 




23 


CMDLY hold time 







ns 




24 


Command delay 


5 


25 


ns 


Cl * 300 pfd max 
•ol = 32 ma max 
Ioh = -5 ma max 


25 


ALE active delay 


2.5 


12 


ns 




26 


ALE inactive delay 





15 


ns 




27 


DT/R read active delay 





25 


ns 




28 


DT/R read inactive delay 


15 


40 


ns 


Cl = 80 pfd max 
Iql = 16 ma max 
Iqh = - 1 ma max 


29 


DEN read active delay 


10 


50 


ns 


30 


DEN read inactive delay 


2.5 


20 


ns 


31 


DEN write active delay 


17.5 


40 


ns 




32 


DEN write inactive delay 


12.5 


47.5 


ns 
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WAVEFORMS 



MAJOR CYCLE TIMING 



BUS CYCLE TYPE 




A23-A0 
M/IO. COD/INTA 



BHE.LOCK 



w///////////// 



VALID ADDRESS 



® 



/////////////////////////// A 



D15-D0 . 



READY 



SRDYJ-SRDYEN > 



AROY+ARDYEN 



j \ r 



© 



VALID CONTROL 



© 



VALID ADDRESS 



® 




© 



VALID READ DATA 



® 



® 



© 



@ 



MRDC 



C3) 



® 



® 



V 



© 



© 



"Y 



© 



WK 



VALID CONTROL 



® 



® 



© 



VALID WRITE DATA 



IS 



© 



®\~- 



f 



V 



© 



© 



VALID IF T s 



)C 



VALID IF T s 



© 



\ 



© 




f 



mmzmzzzzmzL 



® 



® 



® 



^ifT 

/ IFTS \ 



®* 
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WAVEFORMS (Continued) 



80286 ASYNCHRONOUS INPUT SIGNAL TIMING 

BUS CYCLE TYPE 



PCLK 

(SEE NOTE 1) 



HOLD.PEREQ J] 
(SEE NOTE 2) ' 




NOTES: 

1 . PCLK indicates which processor cycle phase will occur on the next 
CLK . PCLK may not indicate the correct phase until the first bus 
cycle is performed. 

2. These inputs are asynchronous. The setup and hold times shown 
assure recognition for testing purposes. 



80286 RESET INPUT TIMING AND 
SUBSEQUENT PROCESSOR CYCLE PHASE 



RESET 



RESET 




NOTE 1 : When RESET meets the setup time shown, the next CLK 
will start or repeat $1 of a processor cycle. 



ENTERING AND EXITING HOLD 



BUS CYCLE TYPE 
V C H 

CLK 



S1 • 



A23 _ Ap 
M/IO, 
COD/INTA 



BHE.LOCK 



D15 " Do 



a PCLK 




(SEE NOTE 3.) 



m 



© K - 



T S OR T| T C OR T| 

M 



© 



\ IFT S 



(SEE NOTE 1.) 



© 



©j< (SEE NOTE 3.) 



(SEE NOTE 1.) 

© 



<^ pmm 



; VALID WRITE DATA 



<><?- 



(SEE NOTE 2.) 

® 



m 



j — 1 \ 1 s r 



NOTES: 

1 . These signals may still be driven by the 80286 during the time shown. The worst case in terms of latest float time is shown. 

2. The data bus will be driven as shown if the last cycle before T, in the diagram was a write T c . 

3. The 80286 floats its status pins during T H . External pullup resistors (in 82288) keep these signals high. 

4. For HOLD request set up to HLDA, refer to Figure 29. 
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WAVEFORMS (Continued) 



80286 PEREQ/PEACK TIMING REQUIRED PEREQ TIMING FOR ONE TRANSFER ONLY 



BUS CYCLE TYPE 




S1 • SO 



A J3 -A„ 

Ml ° A A 



COD INTA 
PEACK 



PEREQ 



I O READ IF PROC. EXT. TO MEMORY 
MEMORY READ IF MEMORY TO PROC. EXT. 



MEMORY WRITE IF PROC. EXT. TO MEMORY 
I WRITE IF MEMORY TO PROC. EXT. 



\ 



® 



(SEE NOTE 1.) 



f 



® 



(SEE NOTE 2.)- 



\ 



f 



MEMORY ADDRESS IF PROC. EXT. TO MEMORY TRANSFER 

I/O PORT ADDRESS OOFA(H) IF MEMORY TO PROC. EXT. TRANSFER 



I/O PORT ADDRESS OOFA(H) IF PROC. EXT. TO MEMORY TRANSFER 
MEMORY ADDRESS IF MEMORY TO PROC. EXT. TRANSFER 




NOTES: 



1 . PEACK always goes active during the first bus operation of a processor extension data operand transfer sequence. The first bus operation 
will be either a memory read at operand address or I/O read at port address OOFA(H). 

2. To prevent a second processor extension data operand transfer, the worst case maximum time (Shown above) is: 3X(T)-© max 
-(4) min The actual, configuration dependent, maximum time is: 3X (T) -(Jl) max -(4) min + AX2X(T). 

A is the number of extra T c states added to either the first or second bus operation of the processor extension data operand transfer 

sequence. 



INITIAL 80286 PIN STATE DURING RESET 




S1 • so 

PEACK 



A23 - A 



MIO 
COD INTA 



LOCK 



UNKNOWN 



7 



(SEE NOTE 2.) 



rr 



»»»»»»»»»>m»m r ^ 







5 w 


UNKNOWN ^ 







NOTES: 

1 . Setup time for RESET f may be violated with the consideration that ^ of the processor clock may begin one system CLK period later. 

2. Setup and hold times for RESET \ must be met for proper operation. 

3. The data bus is only guaranteed to be in 3-state OFF at the time shown. 
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BYTE 1 BYTE 2 

7654321076543210 



BYTE 3 



BYTE 4 



BYTE 5 



BYTE 6 



































OPC 


ODE 


d 


w 


m 


3d 


reg 


r/m 



LOW DISP/DATA j HIGH DISP/DATA 



LOW DATA 



HIGH DATA 



REGISTER OPERAND/REGISTERS TO USE IN OFFSET CALCULATION 
REGISTER OPERAND/EXTENSION OF OPCODE 
REGISTER MODE/MEMORY MODE WITH DISPLACEMENT LENGTH 
WORD/BYTE OPERATION 

DIRECTION IS TO REGISTER/DIRECTION IS FROM REGISTER 
OPERATION (INSTRUCTION) CODE 



A. SHORT OPCODE FORMAT EXAMPLE 

BYTE 1 BYTE 2 BYTE 3 

765432107654321076543210 



BYTE 5 

















I 
































LONG OPCODE 


mod 


reg 


r/m 



LOW DISP 



HIGH DISP 



B. LONG OPCODE FORMAT EXAMPLE 



Figure 35. 80286 Instruction Format Examples 



80286 INSTRUCTION SET SUMMARY 
Instruction Timing Notes 

The instruction clock counts listed below establish the 
maximum execution rate of the 80286. With no delays in 
bus cycles, the actual clock count of an 80286 program 
will average 5% more than the calculated clock count, 
due to instruction sequences which execute faster than 
they can be fetched from memory. 

To calculate elapsed times for instruction sequences, 
multiply the sum of all instruction clock counts, as listed 
in the table below, by the processor clock period. An 8 
MHz processor clock has a clock period of 1 25 nanosec- 
onds and requires an 80286 system clock (CLK input) of 
16 MHz. 

Instruction Clock Count Assumptions 

1 . The instruction has been prefetched, decoded, and 
is ready for execution. Control transfer instruction clock 
counts include all time required to fetch, decode, and 
prepare the next instruction for execution. 

2. Bus cycles do not require wait states. 

3. There are no processor extension data transfer or 
local bus HOLD requests. 

4. No exceptions occur during instruction execution. 



Instruction Set Summary Notes 

Addressing displacements selected by the MOD field 
are not shown. If necessary they appear after the in- 
struction fields shown. 

Above/below refers to unsigned value 

Greater refers to positive signed value 

Less refers to less positive (more negative) signed values 

if d = 1 then to register; if d = then from register 

if w = 1 then word instruction; if w = then byte 
instruction 

if s = then 1 6-bit immediate data form the operand 

if s = 1 then an immediate data byte is sign-extended 
to form the 1 6-bit operand 

x don't care 

z used for string primitives for comparison with ZF 
FLAG 

If two clock counts are given, the smaller refers to a reg- 
ister operand and the larger refers to a memory operand 

* = add one clock if offset calculation requires sum- 
ming 3 elements 

n = number of times repeated 

m = number of bytes of code in next instruction 

Level (L) — Lexical nesting level of the procedure 
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The following comments describe possible exceptions, 
side effects, and allowed usage for instructions in both 
operating modes of the 80286. 

REAL ADDRESS MODE ONLY 

1 . This is a protected mode instruction. Attempted ex- 
ecution in real address mode will result in an unde- 
fined opcode exception (6). 

2. A segment overrun exception (13) will occur if a word 
operand reference at offset FFFF(H) is attempted. 

3. This instruction may be executed in real address 
mode to initialize the CPU for protected mode. 

4. The IOPL and NT fields will remain 0. 

5. Processor extension segment overrun interrupt (9) 
will occur if the operand exceeds the segment limit. 

EITHER MODE 

6. An exception may occur, depending on the value of 
the operand. 

7. LOCK is automatically asserted regardless of the 
presence or absence of the LOCK instruction prefix. 

PROTECTED VIRTUAL ADDRESS MODE ONLY 

8. The destination of an INT, JMP, CALL, RET or IRET 
instruction must be in the defined limit of a code 
segment or a general protection exception (13) 
occurs. 

9. A general protection exception (13) will occur if the 
memory operand can not be used due to either a 
segment limit or access rights violation. If a stack 
segment limit is violated, a stack segment overrun 
exception (12) occurs. 



10. For segment load operations, the CPL, RPL, and 
DPL must agree with privilege rules to avoid an ex- 
ception. The segment must be present to avoid a 
not-present exception (11). If the SS register is the 
destination, and a segment not-present violation 
occurs, a stack exception (12) occurs. 

11. All segment descriptor accesses in the GDT or LDT 
made by this instruction will automatically assert 
LOCK to maintain descriptor integrity in multipro- 
cessor systems. 

1 2. JMP, CALL, INT, RET, IRET instructions referring to 
another code segment will cause a general protec- 
tion exception (13) if any privilege rule is violated. 

13. A general protection exception (13) occurs if CPL 
+ 0. 

14. A general protection exception (13) occurs if 
CPL > IOPL 

15. The IF field of the flag word is not updated if 
CPL > IOPL The IOPL field is updated only if 
CPL = 0. 

1 6. Any violation of privilege rules as applied to the se- 
lector operand do not cause a protection exception ; 
rather, the instruction does not return a result and 
the zero flag is cleared. 

17. If the starting address of the memory operand vio- 
lates a segment limit, or an invalid access is at- 
tempted, a general protection exception (13) will 
occur before the ESC instruction is executed. A stack 
segment overrun exception (12) will occur if the stack 
limit is violated by the operand's starting address. If 
a segment limit is violated during an attempted data 
transfer then a processor extension segment over- 
run exception (9) occurs. 
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80286 INSTRUCTION SET SUMMARY 













CLOCK COUNT 


COMMENTS 












Real 


Protected 


Real 


Protected 


FUNCTION 


FORMAT 








Address 


Virtual 


Address 


Virtual 








Mode 


Address 


Mode 


Address 














Mode 




Mode 


DATA TRANSFER 


















MOV = Move: 


















Register to Register/Memory 


|1 1 w | 


mod reg r/m | 






2,3* 


2,3* 


2 


9 


Register/memory to register 


|1 1 1 w | 


mod reg r/m | 






2,5* 


2,5* 


2 


9 


Immediate to register/memory 


|1 1 1 1 w | 


mod 000 r/m | 


data 


data if w = 1 


2,3* 


2,3* 


2 


9 


Immediate to register 


1 1 1 1 w reg | 


data 


data if w = 1 




2 


2 






Memory to accumulator 


|1 1 w | 


addr-low 


addr-high 




5 


5 


2 


9 


Accumulator to memory 


|1 1 1 w | 


addr-low 


addr-high 




3 


3 


2 


9 


Register/memory to segment register 


|1 1 1 1 | 


mod reg r/m | 






2,5* 


17,19* 


2 


9,10,11 


Segment register to register/memory 


|1 1 1 | 


mod reg r/m | 






2,3* 


2,3* 


2 


9 


PUSH = Push: 


















Memory 


h 1 1 1 1 1 1 1 I 


mod 110 r/m | 






5* 


5* 


2 


9 


Register 


1 10 1 reg | 








3 


3 


2 


9 


Segment register 


[0 reg 1 1 | 








3 


3 


2 


9 


HjjjHHHj^H 


|0 1 1 1 s | 


data | 


data if s = | 




3 


HUH 


2 


9 














17 


2 




POP = Pop: 


















Memory 


|1 1 1 1 1 | 


mod 00 r/m | 






5* 


5* 


2 


9 


Register 


1 10 1 1 reg | 








5 


5 


2 


9 


Segment register 


|0 reg 1 1 1 | 


(reg* 01) 






5 


20 


2 


9,10,11 


POPA = Pop All 


|0 1 1 1 | 






mmmm 


19 


19 


2 


9 


XCHG = Exchange: 


















Register/memory with register 


1 1 1 1 w i 


mod reg r/m | 






3,5* 


3,5* 


2,7 


7,9 


Register with accumulator 


1 1 10 reg | 








3 


3 






IN = Input from: 


















Fixed port 


|1 1 1 1 w | 


port | 






5 


5 




14 


Variable port 


|1 1 1 1 1 w | 








5 


5 




14 


OUT = Output to: 


















Fixed port 


|1 1 1 1 1 w | 


port | 






3 


3 




14 


Variable port 


|1 1 1 1 1 1 w | 








3 


3 




14 


XLAT = Translate byte to AL 


|1 10 10 11 1 | 








5 


5 




9 


LEA = Load EA to register 


|1 1 1 1 | 


mod reg r/m | 






3* 


3* 






LDS = Load pointer to DS 


|1 1 1 1 | 


mod reg r/m | 


(mod * 11) 




7* 


21* 


2 


9,10,11 


LES = Load pointer to ES 


|1 1 1 | 


mod reg r/m | 


(mod * 11) 




7* 


21* 


2 


9,10,11 


LAHF = Load AH with flags 


|1 1111 1 | 








2 


2 






SAHF = Store AH into flags 


|1 1111 | 








2 


2 






PUSHF= Push flags 


|1 1 1 1 | 








3 


3 


2 


9 


POPF = Pop flags 


|1 1 1 1 1 | 








5 


5 


2,4 


9,15 



Shaded areas indicate instructions not available in iAPX 86, 88 microsystems. 
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80286 INSTRUCTION SET SUMMARY (Continued) 














CLOCK COUNT 


COMMENTS 


FUNCTION 


FORMAT 








Real 
Address 
Mode 


Protected 
Virtual 

Address 
Mode 


Real 
Address 
Mode 


Protected 
Virtual 
Address 
Mode 


ADITUMCTIP 

AnilnMbllL 
ADD = Add: 


















Reg/memory with register to either 


|0 d w | 


mod reg r/m 






2,7* 


2,7" 


2 


9 


Immediate to register/memory 


|1 s w | 


mod r/m 


data 


data if s w = 01 


3,7* 


3,7* 


2 


9 


Immediate to accumulator 


|0 1 w | 


data 


data ifw = 1 


I 


3 


3 






ADC = Add with carry: 


















Reg/memory with register to either 


|0 1 d w | 


mod reg r/m 






2,7* 


2,7* 


2 


9 


Immediate to register/memory 


|1 s w | 


mod 1 r/m 


data 


dataif s w = 01 | 


3,7* 


3,7* 


2 


9 


Immediate to accumulator 


|0 1 1 w | 


data 


data if w = 1 


l 


3 


3 






INC = Increment: 


















Register/memory 


|1 1 1 1 1 1 1 w | 


mod r/m 






2,7* 


2,7* 


2 


9 


Register 


|0 1 reg | 








2 


2 






SUB = Subtract: 


















Reg/memory and register to either 


|0 1 1 d w | 


mod reg r/m 






2,7* 


2.7* 


2 


9 


Immediate from register/memory 


|1 s w | 


mod 101 r/m 


data 


data if s w = 1 | 


3,7* 


3,7* 


2 


9 


Immediate from accumulator 


|0 1 1 1 w | 


data 


data if w = 1 


I 


3 


3 






SBB = Subtract with borrow: 


















Reg/memory and register to either 


|0 1 1 d w | 


mod reg r/m 






2,7* 


2,7* 


2 


9 


Immediate from register/memory 


|1 s w | 


mod 011 r/m 


data 


| data if s w = 1 | 


3,7* 


3,7* 


2 


9 


Immediate from accumulator 


|0 1 1 1 w | 


data 


data if w = 1 


l 


3 


3 






DEC = Decrement: 


















Register/memory 


|1 1 1 1 1 1 1 w | 


mod 1 r/m 






2,7' 


2,7* 


2 


9 


Register 


1 10 1 reg | 








2 


2 






PMP — Pnmnarp* 


















Register/memory with register 


1 1 1 1 1 w | 


mod reg r/m 






2,6* 


2,6* 


2 


9 


Register with register/memory 


1 1 1 1 w | 


mod reg r/m 






2,7* 


2,7* 


2 


9 


Immediate with register/memory 


1 1 s w | 


mod 111 r/m 


data 


| data if s w = 1 | 


3,6* 


3,6* 


2 


9 


Immediate with accumulator 


1 1 1 1 1 w | 


data 


data if w = 1 


I 


3 


3 






NEG = Change sign 


|1 11 10 11 w| 


mod 011 r/m 






2 


7* 


2 


9 


AAA = ASCI I adjust for add 


1 1 1 1 1 1 | 








3 


3 






DAA = Decimal adjust for add 


1 1 1 1 1 | 








3 


3 






AAC — AQPII aHinct fnr cnhtrart 


I n n 1 1 1 1 1 1 I 

| U U I I I II I | 








3 


3 






DAS = Decimal adjust for subtract 


1 1 1 1 1 1 | 








3 


3 






MUL = Multiply (unsigned): 


|1 1 1 1 1 1 w | 


mod 1 r/m 














Register-Byte 
Register-Word 
Memory-Byte 
Memory-Word 










13 
21 
16* 
24* 


13 
21 
16* 
24* 


2 
2 


9 
g 


IMUL = Integer multiply (signed): 


|1 1 1 1 1 1 w | 


mod 1 1 r/m 














Register-Byte 
Register-Word 
Memory-Byte 
Memory-Word 










13 
21 
16* 
24* 


13 
21 
16* 
24* 


2 
2 


9 
9 


IMUL = Integer immediate multiply 


1 1 1 1 s 1 | 


mod reg r m 


data 


data if s = 


21,24* 


21,24* 


2 


9 


(signed) 




































DIV = Divide (unsigned): 


|1 1 1 1 1 1 w | 


mod 1 1 r/m 














Register-Byte 
Register-Word 
Memory-Byte 
Memory-Word 










14 
22 
17* 
25* 


14 
22 

17* 
25* 


2,6 
2,6 


6,9 
6,9 


Shaded areas indicate instructions not available in iAPX 86, 88 microsystems. 
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80286 INSTRUCTION SET SUMMARY (Continued) 



FUNCTION 



FORMAT 



CLOCK COUNT 



Real 
Address 



Protected 
Virtual 
Address 



COMMENTS 



Real 
Address 
Mode 



ARITHMETIC (Continued): 

IDIV = Integer divide (signed): 

Register-Byte 

Register-Word 

Memory-Byte 

Memory-Word 

AAM = ASCII adjust for multiply 
AAD = ASCI I adjust for divide 
CBW = Convert byte to word 
CWD = Convert word to double word 

LOGIC 

Shift/Rotate Instructions: 

Register/Memory by 1 

Register/Memory by CL 



1 


1 1 1 


1 


1 


w 


mod 1 1 1 r/m | 




h 


1 1 


1 








1 1 | 


h 


1 1 


1 





1 


1 1 0| 



|1 1 1 | 
|1 1 1 1 I 



1 1 1 1 w | mod TTT r/m 1 
1 1 1 1 1 w | mod TTT r/m^ 
|1 1 w | mod TTT r/m | count [ 



17 
25 
20* 
28* 
16 

14 

2 
2 



2,7* 
5+n,8+n" 
5+11.8+0- 



TTT Instruction 

ROL 



1 

1 

1 1 

1 
1 1 
1 1 1 



ROR 
RCL 
RCR 
SHL/SAL 
SHR 
SAR 



AND = And: 

Reg/memory and register to either 
Immediate to register/memory 
Immediate to accumulator 

TEST= And function to (lags, no result: 

Register/memory and register 

Immediate data and register/memory 
Immediate data and accumulator 

OR = 0r: 

Reg/memory and register to either 
Immediate to register/memory 
Immediate to accumulator 

XOR = Exclusive or: 

Reg/memory and register to either 

Immediate to register/memory 
Immediate to accumulator 
NOT = Invert register/memory 

STRING MANIPULATION: 
MOVS = Move byte/word 
CMPS = Compare byte/word 
SCAS = Scan byte/word 
LODS = Load byte/wd to AL/AX 
STOS = Stor byte/wd from AL/A 
INS = Input byte/wd from OX port 



1 d w 



1 w 



1 1 w 



1 1 w 



1 1 1 1 1 1 w 



1 1 1 w 



1 d w 



1 w 



1 1 w 



1 1 d w 



1 w 



1 1 1 w 



1 1 1 1 1 1 w 



1 1 1 w 



1 1 1 1 w 



1- 1 1 1 1 w 



1 1 1 1 w 



1 1 1 1 w 



1 1 1 1 w 



mod reg r/m 



mod 10 r/m 



mod reg r/m 



mod r/m 



mod reg r/m 



mod 01 r/m 



data 



mod reg r/m 



mod 110 r/m 



data 



mod 1 r/m 



data 



data if w = 1 



data 



iifw = 1 



data 



dataifw = 1 



data 



data if w = 1 



data if w = 1 



data if w = 1 



data if w = 1 



data if w = 1 



2,7* 
3,7* 
3 

2,6* 
3,6* 
3 

2,7* 
3,7* 
3 

2,7* 
3,7* 

3 
2,7* 



17 
25 
20* 
28* 
16 
14 

2 

2 



2,7* 
5+n,8+n* 
■ 



2,7* 

3,7* 
3 

2,6* 
3,6* 
3 

2,7* 
3,7* 
3 

2,7* 
3,7* 

3 
2,7* 



Shaded areas indicate instructions not available in iAPX 86, 88 microsystems. 
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80286 INSTRUCTION SET SUMMARY (Continued) 



FUNCTION 



FORMAT 



CLOCK COUNT 



Real 
Address 
Mode 



Protected 
Virtual 

Address 
Mode 



COMMENTS 



Real 
Address 
Mode 



Protected 
Virtual 

Address 
Mode 



STRING MANIPULATION (Continued): 

Repeated by count in CX 
MOVS = Move string 

CMPS = Compare string 

SCAS = Scan string 

LOOS = Load string 

STOS = Store string 

■ 



10010|101001 0"w] 



1001 z [10 10 11 "w] 



1001 z | 1 1 1 1 i~w~| 



1001 | 1 1 1 1 6~w~| 



1001 1 1 1 1 1 w| 




CONTROL TRANSFER 

CALL = Call: 

Direct within segment 

Register/memory 
indirect within segment 

Direct intersegment 



|1 1 1 1 I disp-low disp-high 
1 1 1 1 1 1 1 1 1 | mod 1 r/m | 



[10 110 10 1 



segment offset 



segment selector 



Protected Mode Only (Direct intersegment): 

Via call gate to same privilege level 

Via call gate to different privilege level, no parameters 

Via call gate to different privilege level, x parameters 

ViaTSS 

Via task gate 



Indirect intersegment 



1 1 1 1 1 1 1 1 1 | mod 1 1 r/m | (mod 4 11) 



I Mode Only (Indirect intersegment): 

Via call gate to same privilege level 

Via call gate to different privilege level, no parameters 

Via call gate to different privilege level, x parameters 

ViaTSS 

Via task gate 



JMP = Unconditional jump: 

Short/long 

Direct within segment 
Register/memory indirect within segment |jM 

Direct intersegment |1 110 10 1 



[1110 10 11] disp-low ~] 
|1 1 1 1 1 | disp-low ~f 



disp-high 



mod 1 r/m 



segment offset 



Protected Mode Only (Direct intersegment): 

Via call gate to same privilege level 

ViaTSS 

Via task gate 



c 



segment selector 



Indirect intersegment 



|1 1 1 1 1 1 1 1 | modi 01 r/m | (mod 4 11) 



Protected Mode Only (Indirect intersegment): 

Via call gate to same privilege level 

ViaTSS 

Via task gate 



RET = Return from CALL: 

Within segment 

Within seg adding immed to SP 
Intersegment 

Intersegment adding immediate to SP 



h 


1 1 


1 1 






h 


10 1 


o| 


data-low 


data-high 


h 


10 10 1 


'I 






h 


10 10 1 


°l 


data- low 


data-high 



Protected Mode Only (RET): 

To different privilege level 



5 + 4n 
5 + 9n 
5 + 8n 
5 + 4n 

4 + 3n 

5 + 4n 



5 + 4n 
5 + 9n 
5 + 8n 
5 + 4n 

4 + 3n 

5 + 4n 



7 + m 
7+m,11+m 

13 + m 



16 + m 



7 + m 
7 + m 
7+m,11+m* 

Tt+rti 



15+m - 



11 + m 
11 +m 
15 + m 
15 + m 



7 + m 
7+m,11+m" 

26 + m 



41 + m 
82+m 
86+4x+m 
177+m 
182 + m 

29 +m - 



44+m' 
83+irT 
90+4x+m - 
180+m - 
185+m' 



7 + m 
7 + m 
7+m,1l +m* 

23 + m 



38 + m 
175+m 
180+m 

26+m - 



41 +m* 
178+m- 
183+m" 



11+m 
11+m 
25 + m 



55 + m 



9 
9 
9 
9 
9 
9.14 



8,9 

8,11,12 



8,11,12 
8,11,12 
8,11,12 
8,11,12 
8,11,12 

8,9.11,12 



8.9.11.12 
8.9.11,12 
8,9,11.12 
8.9,11.12 
8,9,11,12 



8,9 



8,11,12 



8,11,12 
8,11,12 
8,11,12 

8,9,11.12 



8,9,11,12 
8,9,11,12 
8,9,11,12 



8,9 
8,9 

8,9,11,12 
8,9,11.12 



Shaded areas indicate instructions not available in iAPX 86, 88 microsystems. 
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80286 INSTRUCTION SET SUMMARY (Continued) 



FUNCTION 



FORMAT 



CLOCK COUNT 



Real 
Address 
Mode 



Protected 
Virtual 

Address 
Mode 



COMMENTS 



Real 
Address 
Mode 



Protected 
Virtual 

Address 
Mode 



CONTROL TRANSFER (Continued): 
JE/JZ = Jump on equal/zero 
JL/JNGE = Jump on less/not greater or equal 
JLE/JNG = Jump on less or equal/not greater 
JB/JNAE = Jump on below/not above or equal 
JBE/JNA = Jump on below or equal/not above 
JP/JPE = Jump on parity/parity even 
JO = Jump on overflow 
JS = Jump on sign 

JNE/JNZ = Jump on not equal/not zero 
JNL/JGE = Jump on not less/greater or equal 
JNLE/JG = Jump on not less or equal/greater 
JNB/JAE = Jump on not below/above or equal 
JNBE/J A = Jump on not below or equal/above 
JNP/JPO = Jump on not par/par odd 
JNO = Jump on not overflow 
JNS = Jumponnotsign 
LOOP = Loop CX times 
LOOPZ/LOOPE = Loop wnile zero/equal 
LOOPNZ/LOOPNE = Loop while not zero/equal 
JCXZ = Jump on CX zero 



ENTER = Enter Procedure 

L = 
L-1 

= Leave Procedure 

INT= Interrupt: 

Type specified 

Type 3 

INTO = Interrupt on overflow 





1 - 


10 10 


| 


disp 


|o 


1 


1110 


| 


disp 


1° 


1 


1111 


| 


disp 


1° 


1 


10 1 


| 


disp 


|o 


1 


10 11 


I 


disp 




o 


1 


110 1 





disp 




l« 


1 


10 


| 


disp 




1 


110 


| 


disp 


1° 


1 


10 10 


1 I 


disp 


|o 


1 


1110 


1 I 


disp 




|o 


1 


1111 


1 I 


disp 


1° 


1 


10 1 


1 I 


disp 


|o 


1 


10 11 


1 I 


disp 




|o 


1 


110 1 


1 I 


disp 


1° 


1 


10 


1 I 


disp 


|o 


1 


110 


1 I 


disp 




h 


1 


1 


| 


disp 


h 


1 





1 I 


disp 


h 


1 





| 


disp 


h 


1 


1 


1 I 


disp 



[Ti o oTToTj 



|1 10 110 1 



|1 1 1 1 | 
|1 10 111 | 



Protected Mode Only: 

Via interrupt or trap gate to same privilege level 
Via interrupt or trap gate to fit different privilege level 
Via Task Gate 



IRET = Interrupt return 

Protected Mode Only: 

To different privilege level 
To different task (NT=1) 

BOUND = Detect value out of range 



| 1 10 111 1 | 



type 



110 



mod reg r ~m [ 



_ 



7 + mor3 
7+mor3 
7 + mor3 
7 + mor3 
7 + mor3 
7 + mor3 
7+mor3 
7 + mor3 
7+mor3 
7+mor3 
7+mor3 
7 + mor3 
7+mor3 
7+mor3 
7+mor3 

7 + mor3 

8 + mor4 
8+mor4 
8+mor4 
8 + mor4 



11 
15 

16+411-1) 
5 



23 + m 

23 + m 

24+mor3 
(3 it no 
interrupt) 



17 + m 



13" 



7 + mor3 
7 + mor3 
7+mor3 
7 + mor3 
7+mor3 
7 + mor3 
7 + mor3 
7 + mor3 
7 + mor3 
7+mor3 
7+mor3 
7+mor3 
7 + mor3 
7 + mor3 

7 + mor3 
7+mor3 

8 + mor4 
8 + mor4 
8 + mor4 
8 + mor4 



11 
15 

+4|L-1) 
5 



24+ m or3 
(3 if no 
interrupt) 

40 + m 
78 + m 
167+m 

31 +m 



55 + m 
169+m 

13* 
(Use INT clock 



2,4 



2,6 



8,11,12 
8,11,12 
8,11,12 

8,9,11,12,15 



8,9,11,12,15 
8,9.11,12 

6,8,9,11,12 



Shaded areas indicate instructions not available in iAPX 86, 88 microsystems. 
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80286 INSTRUCTION SET SUMMARY (Continued) 



FUNCTION 



FORMAT 



CLOCK COUNT 



Real 
Address 



Protected 
Virtual 

Address 
Mode 



COMMENTS 



Real 
Address 
Mode 



PROCESSOR CONTROL 

CLC = Clear carry 

CMC = Complement carry 
STC = Set carry 
CLD = Clear direction 
STD = Set direction 
CLI = Clear interrupt 
STI = Set interrupt 
HLT= Halt 
WAIT = Wait 
LOCK = Bus lock prefix 



ESC = Processor Extension Escape 



PROTECTION CONTROL 

LGDT = Load global descriptortable register 

SGDT = Store global descriptortable register 

LIDT " Load interrupt descriptor table register 

SIOT = Store interrupt descriptortable register 

LLDT = Load local descriptortable register 
from register memory 

SLOT = Store local descriptor table register 
to register memory 

LTR = Load task register 
from register memory 

STR = Store task register 
to register memory 

LMSW = Load machine status word 
from register/memory 

SMSW = Store machine status word 

LAR = load access rights 
from register memory 

LSL = Load segment limit 

from registerTr.emory 
ARPL = Adjust requested privilege level: 
from register/memory 

VERR = Verify read access: register/memory 

VERR = Verily write access: 



(TTT LLL are opcode to processor extension) 



110 



10 10 1 



110 1 



1110 



1110 1 



110 10 



110 11 



10 10 



110 1 1 



1110 



1 1 1 1 



1 1 1 T T T 



1 To] 



mod LLL r/m | 



1 



1 



1 



1 



1 



1 



1 



1 



1 



1 



1 



1 



1 



1 



1 



1 



1 



1 



00000000 



ooooocoo 



00000000 



00000000 



1 



1 



10 



11 



110 11 



00000000 



00000000 



mod 1 r/m 



mod 000 r/m 



mod 011 r/m 



mod 001 r'm 



mod 010 r.'m 



mod 00 r/m 



mod 1 1 r.'m 



mod 01 r/m 



mod 1 1 r/m 



mod 1 r m 



mod reg r/m 



mod reg r/m 



mod reg r/m 



mod 1 r/m 



mod 101 r/m 







Shaded areas indicate instructions not available in iAPX 86, 88 microsystems. 



2 
2 
2 
2 
2 
3 
2 
2 
3 

2 

9-20* 



11* 
11* 
12' 
12* 



3,6* 
2,3* 



2 
2 
2 
2 
2 
3 
2 
2 
3 

2 

9-20* 



11* 
11* 
12* 
12* 

17,19* 
2,3* 

17,19* 

2,3* 

3,6* 
2,3* 

14,16* 

14.16* 

10* . 11 * 
14.16* 
14,16* 



2,3 
2,3 
2,3 
2.3 

1 

1 

1 

1 

2.3 

2.3 

1 

1 

2 
1 
1 
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Footnotes 

The effective Address (EA) of the memory operand is 
computed according to the mod and r/m fields: 

if mod = 1 1 then r/m is treated as a REG field 

if mod = OOthenDISP = 0*, disp-low and disp-high 

are absent 

if mod = 01 then DISP = disp-low sign-extended to 

1 6-bits, disp-high is absent 

if mod = 10 then DISP = disp-high: disp-low 

if r/m = 000 then EA = (BX) + (SI) + DISP 
if r/m = 001 then EA = (BX) + (Dl) + DISP 
if r/m = 010thenEA = (BP) + (SI) + DISP 
if r/m = 01 1 then EA = (BP) + (Dl) + DISP 
if r/m = 100 then EA = (SI) + DISP 
if r/m = 101 thenEA = (Dl) + DISP 
if r/m = 110 thenEA = (BP) + DISP* 
if r/m = 1 1 1 then EA = (BX) + DISP 

DISP follows 2nd byte of instruction (before data if 
required) 

"except if mod = 00 and r/m = 110 then EA = disp-high: disp-low. 



REG is assigned according to the following table: 



16-Bit (w = 1) 


8-Bit (w = 0) 


000 AX 


000 AL 


001 CX 


001 CL 


010 DX 


010 DL 


011 BX 


011 BL 


100 SP 


100 AH 


101 BP 


101 CH 


110 SI 


110 DH 


111 Dl 


111 BH 



The physical addresses of all operands addressed by 
the BP register are computed using the SS segment 
register. The physical addresses of the destination op- 
erands of the string primitive operations (those ad- 
dressed by the Dl register) are computed using the ES 
segment, which may not be overridden. 



SEGMENT OVERRIDE PREFIX 



1 reg 1 1 



reg is assigned according to the following: 

Segment 
reg Register 



00 
01 
10 

11 



ES 
CS 
SS 
DS 
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